Information recording/reproducing apparatus and method

ABSTRACT

When a player cannot play back data because a master key held by the player has a generation older than the generation of a master key having been used for recording the data, or when a recorder cannot record data because a master key held by the recorder has a generation older than the generation of a master key necessary for recording to a recording medium, the user is prompted to renew the master key for acquisition of the necessary master key, thereby enabling the data playback or data recording. The renewed master key is distributed in such a form that can be processed by a specific device via a transmission medium such as a recording medium, network, IC card, telephone line, for example, via a tree-structured distribution system.

TECHNICAL FIELD

The present invention relates generally to an information recorder,information player, information recording method, information playbackmethod, key renewing terminal, generation-managed key renewing method,information recording medium, and a program serving medium, and moreparticularly to an information recorder, information player, informationrecording method, information playback method, key renewing terminal,generation-managed key renewing method, information recording medium,and a program serving medium, capable of preventing data write to arecording medium to and from which data can be recorded and played backand also unauthorized copying of data in playback of data.

BACKGROUND ART

With the recent advancement and development of the digital signalprocessing technology, digital recorders and recording media have beenprevailing. With such a digital recorder and recording medium, an imageor sound, for example, can be repeatedly recorded and played backwithout any degradation thereof. Since digital data can be repeatedlycopied many times with no degradation of the image and sound qualities,so recording media having digital data illegally recorded therein, ifput on the market, will cause the copyrighters of various contents suchas music, movie, etc. or appropriate or authorized distributors of thecontents to be deprived of profits which would come to the latter ifsuch unauthorized copying is not possible. To prevent such unauthorizedcopying of digital data, various unauthorized copy preventing systemshave recently been introduced in digital recorders and recording media.

As an example of the above unauthorized-copy preventing systems, SCMS(Serial Copy Management System) is adopted in the MD (mini disc) drive(MD is a trademark). The SCMS is such that at a data player side, audiodata is outputted along with SCMS signal from a digital interface (DIF)while at a data recorder side, recording of the audio data from the dataplayer side is controlled based on the SCMS signal from the data playerside, thereby preventing the audio data from being illegally copied.

More particularly, the above SCMS signal indicates that an audio data isa “copy-free” data which is allowed to freely be copied many times, a“copy-once-allowed” data which is allowed to be copied only once or a“copy-prohibited” data which is prohibited from being copied. At thedata recorder side, when receiving an audio data from the DIF, SCMSsignal transmitted along with the audio data is detected. If the SCMSsignal indicates that the audio data is a “copy-free” data, the audiodata is recorded along with the SCMS signal to the mini disc. If theSCMS signal indicates that the audio data is a “copy-once-allowed” data,the audio data is converted to a “copy-prohibited” data and the SCMSsignal is recorded along with the audio data to the mini disc. Further,if the SCMS signal indicates that the audio data is a copy-prohibiteddata, the audio data is not recorded to the mini disc. Under a controlwith the SCMS signal, a copyrighted audio data is prevented from beingillegally copied in the mini disc drive unit.

However, the SCMS is valid only when the data recorder itself isconstructed to control recording of audio data from the data player sidebased on the SCMS signal. Therefore, it is difficult for the SCMS tosupport a mini disc drive not constructed to perform the SCMS control.To apply the SCMS, a DVD player for example adopts a content scramblingsystem to prevent a copyrighted data from being illegally copied.

The content scrambling system is such that encrypted video data, audiodata and the like are recorded in a DVD-ROM (read-only memory) and adecryption key for use to decrypt the encrypted data is granted to eachlicensed DVD player. The license is granted to a DVD player designed inconformity with a predetermined operation rule against unauthorizedcopying etc. Therefore, using the granted decryption key, a licensed DVDplayer can decrypt encrypted data recorded in a DVD-ROM to thereby playback the video and audio data from the DVD-ROM.

On the other band, an unlicensed DVD player cannot decrypt encrypteddata recorded in a DVD-ROM because it has no decryption key for theencrypted data. In short, the content scrambling system prevents a DVDplayer not meeting the licensing requirements from playing a DVD-ROMhaving digital data recorded therein in order to prevent unauthorizedcopying.

However, the content scrambling system adopted in the DVD-ROM isdirected to a recording medium to which the user cannot write data (willbe referred to as “ROM medium” hereunder wherever appropriate), but notto any recording medium to which the user can write data (will bereferred to as “RAM medium” hereunder wherever appropriate).

That is to say, copying all encrypted data recorded in a ROM medium asthey are to a RAM medium will produce a so-called pirated edition of thedata which can be played back by a licensed DVD player.

To solve the above problem, the Applicant of the present inventionproposed, as disclosed in the Japanese Published Unexamined ApplicationNo. 224461 of 1999 (Japanese Patent Application No. 25310 of 1998), amethod in which information to identify each recording medium (will bereferred to as “medium ID information” hereunder) is recorded with otherdata in a recording medium to allow access to the medium ID informationin the recording medium only when a player going to play the recordingmedium has been licensed for the medium ID information.

The above method encrypts data in the recording medium with a privatekey (master key) acquired through licensing of the medium ID informationso that any unlicensed player cannot acquire any meaningful data even ifit can read the encrypted data. Note that a player licensed for themedium ID information has the operation thereof restricted againstunauthorized copying.

No unlicensed player can access the medium ID information. The medium IDinformation is unique to each recording medium. Even if an unlicensedplayer could copy all encrypted data recorded in such a recording mediumto a new recording medium, the data thus recorded in the new recordingmedium cannot correctly be decrypted by the unlicensed player as well asby a licensed player. Thus, it is substantially possible to prevent datafrom being illegally copied.

Now it should be reminded that in the above conventional system, aprivate key (master key) acquired through licensing as having beenproposed in the Japanese Patent Application should be common to all thedevices included in a system, which is required for playing a recordingmedium having data recorded therein by any other device in the system(to secure the interoperability).

However, if an attacker has attacked any one of devices included in asystem and succeeded in uncovering the private key held in the device,it will be the same as when private keys of all the devices have beenuncovered, so that data recorded in the device before the private key isuncovered as well as data recorded after the private key was uncovered,will be cryptanalyzed by the attacker with the private key thusuncovered.

To avoid the above, the Applicant of the present invention proposed, asin the Japanese Patent Application No. 294928 of 1999, a method formanaging the generation of the master key. The method is such that amaster key common to all devices in a system is used starting with thefirst generation of the master key and a private key unique to each ofdevice groups is used, thereby acquiring, from a recording medium, amaster key which the newest when the recording medium has been produced.Namely, to a group having the master key thereof uncovered as in theabove, there is not granted any master key of the next generation forrecording media which are produced after the master key was uncovered.Thus, the devices which are appropriate or authorized, namely, havetheir master key not uncovered, can acquire a master key of a youngergeneration while the devices whose master key has been uncovered cannotacquire any master key of a younger generation than a one at which themaster key has been uncovered last.

The recorder can record data to a recording medium only with a masterkey of a generation as young as or younger than the generation of amaster key stored in the recording medium. A recorder having a masterkey meeting the above requirement encrypts data with its latest masterkey for recording. Thus, even for recording to an old recording medium,data is encrypted for the recording with a nearly latest master key by adevice (recorder/player) which is appropriate, that is, whose master keyhas not been uncovered. So, the data recorded in the old recordingmedium can be prevented from being read by any inappropriate orunauthorized device which cannot acquire the latest master key.

In a system in which the above-mentioned generation-managed master keyis used, the recorder encrypts data with its own latest-generationmaster key for recording of the data to a recording medium. For playingof the recording medium by a player other than the recorder/playerhaving recorded data to the recorder medium, the master key of thegeneration having been used for recording the data has to be known tothe player going to play the recording medium. However, alatest-generation master key cannot be acquired unless access is made toa latest-generation recording medium. Namely, since the master key ofthe generation on which the data has been recorded cannot be known, evenan appropriate or authorized player cannot play back data recorded inthe recording medium as the case may be.

Also, a recorder going to record data to a recording medium has to havea master key of a generation younger than allowed by the recordingmedium. However, since there is a likelihood that an encrypted masterkey common to a group of devices has been removed from a master keytable in the recording medium because the master key for the group hasbeen uncovered, even an appropriate or authorized recorder going torecord data to a recording medium cannot record the data to therecording medium as the case may be.

DISCLOSURE OF THE INVENTION

Accordingly, the present invention has an object to overcome theabove-mentioned drawbacks of the prior art by providing an informationrecorder, information player, information recording method, informationplayback method, key renewal terminal, generation-managed key renewingmethod, information recording medium and a program serving medium,capable of assuring a wider interoperability while maintaining thefunction of preventing data from illegally being copied.

According to the first aspect of the present invention, there can beprovided an information recorder for recording information to arecording medium, the apparatus including: a cryptography means forencrypting information to be recorded to the recording medium by acryptography with a generation-managed encryption key which is renewedto a different key for each generation; and a user interface for makinga comparison between generation information on a device-storedgeneration-managed encryption key stored in a storage means of theinformation recorder and prerecording generation information which isrecording-medium generation information prestored in the recordingmedium, and outputting a warning when the comparison result is that theprerecording generation information is newer than the generationinformation on the device-stored generation-managed encryption key.

Also in the above information recorder according to the presentinvention, the device-stored generation-managed encryption key is amaster key stored in common to a plurality of information recorders.

Further in the above information recorder according to the presentinvention, the cryptography means includes means for renewing, when theprerecording generation information is newer than the generationinformation on the device-stored generation-managed encryption key, ageneration-managed encryption key of a generation as young as or youngerthan that indicated by the prerecording generation information.

Further in the above information recorder according to the presentinvention, the cryptography means includes a key creating means forcreating, based on the device-stored generation-managed encryption key,a generation-managed encryption key whose generation information isolder than the generation information on the device-storedgeneration-managed encryption key.

Further in the above information recorder according to the presentinvention, the cryptography means includes means for renewing, when theprerecording generation information is newer than the generationinformation on the device-stored generation-managed encryption key, ageneration-managed encryption key of a generation as young as or youngerthan that indicated by the prerecording generation information, and thekey renewing means decrypts an encrypted to-be-renewedgeneration-managed encryption key with a device key stored in theinformation recorder to create an renewed generation-managed encryptionkey.

Further in the above information recorder according to the presentinvention, the cryptography means acquires a key table in which theencrypted to-be-renewed generation-managed encryption key and adecrypting device key identifier are correlated with each other todecrypt the encrypted to-be-renewed generation-managed encryption keywith a device key identified based on the device key identifier in thekey table.

Further in the above information recorder according to the presentinvention, the device key is a key common to information recordersgrouped by categorization into a common category.

Further in the above information recorder according to the presentinvention, the device key is a key common to information recordersenclosed in the same group by grouping based on serial numbers assignedto the information recorders.

Further in the above information recorder according to the presentinvention, there are provided a node key unique to each of nodesincluded in a hierarchical tree structure including a plurality ofdifferent information recorders each as a leaf and a leaf key unique toeach of the information recorders, and the generation-managed encryptionkey is a key which can be renewed with at least either the node key orleaf key.

Further in the above information recorder according to the presentinvention, the generation-managed encryption key is a master key commonto the plurality of information recorders.

Further in the above information recorder according to the presentinvention, the node key can be renewed, there is distributed, when anode key is to be renewed, a key renewal block (KRB) derived fromencryption of the renewed node key with at least either a node key orleaf key on a lower stage of the tree structure to an informationrecorder at a leaf where the node key has to be renewed, and thecryptography means in the information recorder receives renewal data forthe generation-managed encryption key encrypted with the renewed nodekey, encrypts the key renewal block (KRB) to acquire the renewed nodekey, and acquires renewal data for the generation-managed encryption keybased on the thus-acquired renewed node key.

Further in the above information recorder according to the presentinvention, the key renewal block (KRB) is stored in a recording mediumand the cryptography means encrypts the key renewal block (KRB) readfrom the recording medium.

Further in the above information recorder according to the presentinvention, the generation-managed encryption key has a generation numberas renewal information correlated therewith, and the cryptography meansstores, as a recording generation number into the recording medium, ageneration number of the generation-managed encryption key having beenused for storing encrypted data into the recording medium.

According to the second aspect of the present invention, there can beprovided an information recorder for recording information to arecording medium, the apparatus including: a cryptography means forencrypting information to be recorded to the recording medium by acryptography with a generation-managed encryption key which is renewedto a different key for each generation; and a key acquiring means formaking a comparison between generation information on a device-storedgeneration-managed encryption key stored in a storage means of theinformation recorder and prerecording generation information which isrecording-medium generation information prestored in the recordingmedium, and acquiring a generation-managed encryption key of ageneration as young as or younger than that indicated by theprerecording generation information when the comparison result is thatthe prerecording generation information is newer than the generationinformation on the device-stored generation-managed encryption key.

Also in the above information recorder according to the presentinvention, the key acquiring means includes a communication interfacecapable of receiving data via a network.

Further in the above information recorder according to the presentinvention, the key acquiring means includes a communication modemcapable of receiving data via a telephone line.

Further in the above information recorder according to the presentinvention, the key acquiring means includes an I/C card interfacecapable of receiving data via an IC card.

Further in the above information recorder according to the presentinvention, the cryptography means makes a mutual authentication with akey serving means when the key acquiring means is going to acquire thegeneration-managed encryption key, and the key acquiring means effectsthe acquisition of the generation-managed key only when the mutualauthentication with the key serving means has successfully been made.

Further in the above information recorder according to the presentinvention, the device-stored generation-managed encryption key is amaster key common to a plurality of information recorders.

Further in the above information recorder according to the presentinvention, the cryptography means includes means for renewing, when theprerecording generation information is newer than the generationinformation on the device-stored generation-managed encryption key, ageneration-managed encryption key of a generation as young as or youngerthan that indicated by the prerecording generation information.

Further in the above information recorder according to the presentinvention, the cryptography means includes a key creating means forcreating, based on the device-stored generation-managed encryption key,a generation-managed encryption key whose generation information isolder than the generation information on the device-storedgeneration-managed encryption key.

Further in the above information recorder according to the presentinvention, the cryptography means includes means for renewing, when theprerecording generation information is newer than the generationinformation on the device-stored generation-managed encryption key, ageneration-managed encryption key of a generation as young as or youngerthan that indicated by the prerecording generation information, and thekey renewing means decrypts an encrypted to-be-renewedgeneration-managed encryption key with a device key stored in theinformation recorder to create an renewed generation-managed encryptionkey.

Further in the above information recorder according to the presentinvention, the cryptography means acquires a key table in which theencrypted to-be-renewed generation-managed encryption key and adecrypting device key identifier are correlated with each other todecrypt the encrypted to-be-renewed generation-managed encryption keywith a device key identified based on the device key identifier in thekey table.

Further in the above information recorder according to the presentinvention, the device key is a key common to information recordersgrouped by categorization into a common category.

Further in the above information recorder according to the presentinvention, the device key is a key common to information recordersenclosed in the same group by grouping based on serial numbers assignedto the information recorders.

Further in the above information recorder according to the presentinvention, there are provided a node key unique to each of nodesincluded in a hierarchical tree structure including a plurality ofdifferent information recorders each as a leaf and a leaf key unique toeach of the information recorders, and the generation-managed encryptionkey is a key which can be renewed with at least either the node key orleaf key.

Further in the above information recorder according to the presentinvention, the generation-managed encryption key is a master key commonto the plurality of information recorders.

Further in the above information recorder according to the presentinvention, the node key can be renewed, there is distributed, when anode key is to be renewed, a key renewal block (KRB) derived fromencryption of the renewed node key with at least either a node key orleaf key on a lower stage of the tree structure to an informationrecorder at a leaf where the node key has to be renewed, and thecryptography means in the information recorder receives renewal data forthe generation-managed encryption key encrypted with the renewed nodekey, encrypts the key renewal block (KRB) to acquire the renewed nodekey, and acquires renewal data for the generation-managed encryption keybased on the thus-acquired renewed node key.

Further in the above information recorder according to the presentinvention, the key renewal block (KRB) is stored in a recording mediumand the cryptography means encrypts the key renewal block (KRB) readfrom the recording medium.

Further in the above information recorder according to the presentinvention, the generation-managed encryption key has a generation numberas renewal information correlated therewith, and the cryptography meansstores, as a recording generation number into the recording medium, ageneration number of the generation-managed encryption key having beenused for storing encrypted data into the recording medium.

According to the third aspect of the present invention, there can beprovided an information recorder for recording information to arecording medium, the apparatus including: a cryptography means forencrypting information to be recorded to the recording medium by acryptography with a generation-managed encryption key which is renewedto a different key for each generation; and a key renewing terminalconnecting interface for connection of a key renewing terminal whichmakes a comparison between generation information on a device-storedgeneration-managed encryption key stored in a storage means of theinformation recorder and prerecording generation information which isrecording-medium generation information prestored in the recordingmedium, and acquires a generation-managed encryption key of a generationas young as or younger than that indicated by the prerecordinggeneration information when the comparison result is that theprerecording generation information is newer than the generationinformation on the device-stored generation-managed encryption key.

Further in the above information recorder according to the presentinvention, a mutual authentication with the key renewing terminal iseffected for acquiring the generation-managed encryption key from thekey renewing terminal, and the generation-managed encryption key isacquired only when the mutual authentication with the key renewingterminal has successfully been made.

Further in the above information recorder according to the presentinvention, there are provided a node key unique to each of nodesincluded in a hierarchical tree structure including a plurality ofdifferent information recorders each as a leaf and a leaf key unique toeach of the information recorders, and the generation-managed encryptionkey is a key which can be renewed with at least either the node key orleaf key.

Further in the above information recorder according to the presentinvention, the generation-managed encryption key is a master key commonto the plurality of information recorders.

Further in the above information recorder according to the presentinvention, the node key can be renewed, there is distributed, when anode key is to be renewed, a key renewal block (KRB) derived fromencryption of the renewed node key with at least either a node key orleaf key on a lower stage of the tree structure to an informationrecorder at a leaf where the node key has to be renewed, and thecryptography means in the information recorder receives renewal data forthe generation-managed encryption key encrypted with the renewed nodekey, encrypts the key renewal block (KRB) to acquire the renewed nodekey, and acquires renewal data for the generation-managed encryption keybased on the thus-acquired renewed node key.

Further in the above information recorder according to the presentinvention, the key renewal block (KRB) is stored in a recording mediumand the cryptography means encrypts the key renewal block (KRB) readfrom the recording medium.

Further in the above information recorder according to the presentinvention, the generation-managed encryption key has a generation numberas renewal information correlated therewith, and the cryptography meansstores, as a recording generation number into the recording medium, ageneration number of the generation-managed encryption key having beenused for storing encrypted data into the recording medium.

According to the fourth aspect of the present invention, there can beprovided an information player for playing back information from arecording medium, the apparatus including: a cryptography means fordecrypting information read from the recording medium by a cryptographywith a generation-managed encryption key which is renewed to a differentkey for each generation; and a user interface for making a comparisonbetween generation information on a device-stored generation-manageddecryption key stored in a storage means of the information player andrecording generation information which is generation information havingbeen used for recording the information to the recording medium, andoutputting a warning when the comparison result is that the recordinggeneration information is newer than the generation information on thedevice-stored generation-managed decryption key.

Also in the above information player according to the present invention,the cryptography means does not make any information decryption when acomparison made between the recording generation information which isgeneration information having been used for recording the information tothe recording medium and prerecording generation information which isrecording medium generation information prestored in the recordingmedium shows that the prerecording generation information is newer thanthe recording generation information.

Further in the above information player according to the presentinvention, the device-stored generation-managed decryption key is amaster key stored in common to a plurality of information players.

Further in the above information player according to the presentinvention, the cryptography means includes means for renewing, when theprerecording generation information is newer than the generationinformation on the device-stored generation-managed decryption key, ageneration-managed decryption key of a generation as young as or youngerthan that indicated by the prerecording generation information.

Further in the above information player according to the presentinvention, the cryptography means includes a key creating means forcreating, based on the device-stored generation-managed decryption key,a generation-managed decryption key whose generation information isolder than the generation information on the device-storedgeneration-managed decryption key.

Further in the above information player according to the presentinvention, the cryptography means includes means for renewing, when therecording generation information is newer than the generationinformation on the device-stored generation-managed encryption key, ageneration-managed encryption key of a generation as young as or youngerthan that indicated by the prerecording generation information, and thekey renewing means decrypts an encrypted to-be-renewedgeneration-managed encryption key with a device key stored in theinformation player to create an renewed generation-managed encryptionkey.

Further in the above information player according to the presentinvention, the cryptography means acquires a key table in which theencrypted generation-managed encryption key to ne renewed and adecrypting device key identifier are correlated with each other todecrypt the encrypted to-be-renewed generation-managed encryption keywith a device key identified based on the device key identifier in thekey table.

Further in the above information player according to the presentinvention, the device key is a key common to information players groupedby categorization into a common category.

Further in the above information recorder according to the presentinvention, the device key is a key common to information playersenclosed in the same group by grouping based on serial numbers assignedto the information players.

Further in the above information player according to the presentinvention, there are provided a node key unique to each of nodesincluded in a hierarchical tree structure including a plurality ofdifferent information players each as a leaf and a leaf key unique toeach of the information players, and the generation-managed encryptionkey is a key which can be renewed with at least either the node key orleaf key.

Further in the above information player according to the presentinvention, the generation-managed encryption key is a master key commonto the plurality of information players.

Further in the above information player according to the presentinvention, the node key can be renewed, there is distributed, when anode key is to be renewed, a key renewal block (KRB) derived fromencryption of the renewed node key with at least either a node key orleaf key on a lower stage of the tree structure to an information playerat a leaf where the node key has to be renewed, and the cryptographymeans receives renewal data for the generation-managed decryption keyencrypted with the renewed node key, encrypts the key renewal block(KRB) to acquire the renewed node key, and acquires renewal data for thegeneration-managed decryption key based on the thus-acquired renewednode key.

Further in the above information player according to the presentinvention, the key renewal block (KRB) is stored in a recording mediumand the cryptography means encrypts the key renewal block (KRB) readfrom the recording medium.

Further in the above information player according to the presentinvention, the generation-managed decryption key has a generation numberas renewal information correlated therewith, and for decryption ofencrypted data read from the recording medium, the cryptography meansreads, from the recording medium, a generation number of thegeneration-managed encryption key having been used for encrypting thedata and decrypts the encrypted data with a generation-manageddecryption key corresponding to the thus-read generation number.

According to the fifth aspect of the present invention, there can beprovided an information player for playing back information from arecording medium, the apparatus including: a cryptography means fordecrypting information read from the recording medium by a cryptographywith a generation-managed decryption key which is renewed to a differentkey for each generation; and a key acquiring means for making acomparison between generation information on a device-storedgeneration-managed decryption key stored in a storage means of theinformation player and recording generation information which isgeneration information having been used for recording the information,and acquiring a generation-managed decryption key of a generation asyoung as or younger than that indicated by the recording generationinformation when the comparison result is that the recording generationinformation is newer than the generation information on thedevice-stored generation-managed decryption key.

Also in the above information player according to the present invention,the cryptography means does not make any information decryption when acomparison made between the recording generation information which isgeneration information having been used for recording the information tothe recording medium and prerecording generation information which isrecording medium generation information prestored in the recordingmedium shows that the prerecording generation information is newer thanthe recording generation information.

Also in the above information player according to the present invention,the key acquiring means includes a communication interface capable ofreceiving data via a network.

Further in the above information player according to the presentinvention, the key acquiring means includes a communication modemcapable of receiving data via a telephone line.

Further in the above information player according to the presentinvention, the key acquiring means includes an I/C card interfacecapable of receiving data via an IC card.

Further in the above information player according to the presentinvention, the cryptography means makes a mutual authentication with akey serving means when the key acquiring means is going to acquire thegeneration-managed decryption key, and the key acquiring means effectsthe acquisition of the generation-managed key only when the mutualauthentication with the key serving means has successfully been made.

Further in the above information player according to the presentinvention, the device-stored generation-managed decryption key is amaster key common to a plurality of information players.

Further in the above information player according to the presentinvention, the cryptography means includes means for renewing, when therecording generation information is newer than the generationinformation on the device-stored generation-managed decryption key, ageneration-managed decryption key of a generation as young as or youngerthan that indicated by the recording generation information.

Further in the above information player according to the presentinvention, the cryptography means includes a key creating means forcreating, based on the device-stored generation-managed encryption key,a generation-managed decryption key whose generation information isolder than the generation information on the device-storedgeneration-managed decryption key.

Further in the above information player according to the presentinvention, the cryptography means includes means for renewing, when therecording generation information is newer than the generationinformation on the device-stored generation-managed decryption key, ageneration-managed encryption key of a generation as young as or youngerthan that indicated by the recording generation information, and the keyrenewing means decrypts an encrypted to-be-renewed generation-manageddecryption key with a device key stored in the information player tocreate an renewed generation-managed encryption key.

Further in the above information player according to the presentinvention, the cryptography means acquires a key table in which theencrypted to-be-renewed generation-managed encryption key and adecrypting device key identifier are correlated with each other todecrypt the encrypted to-be-renewed generation-managed encryption keywith a device key identified based on the device key identifier in thekey table.

Further in the above information player according to the presentinvention, the device key is a key common to information players groupedby categorization into a common category.

Further in the above information player according to the presentinvention, the device key is a key common to information playersenclosed in the same group by grouping based on serial numbers assignedto the information players

Further in the above information player according to the presentinvention, there are provided a node key unique to each of nodesincluded in a hierarchical tree structure including a plurality ofdifferent information players each as a leaf and a leaf key unique toeach of the information players, and the generation-managed decryptionkey is a key which can be renewed with at least either the node key orleaf key.

Further in the above information player according to the presentinvention, the generation-managed decryption key is a master key commonto the plurality of information players.

Further in the above information player according to the presentinvention, the node key can be renewed, there is distributed, when anode key is to be renewed, a key renewal block (KRB) derived fromdecryption of the renewed node key with at least either a node key orleaf key on a lower stage of the tree structure to an information playerat a leaf where the node key has to be renewed, and the cryptographymeans receives renewal data for the generation-managed decryption keyencrypted with the renewed node key, encrypts the key renewal block(KRB) to acquire the renewed node key, and acquires renewal data for thegeneration-managed decryption key based on the thus-acquired renewednode key.

Further in the above information player according to the presentinvention, the key renewal block (KRB) is stored in a recording mediumand the cryptography means encrypts the key renewal block (KRB) readfrom the recording medium.

Further in the above information player according to the presentinvention, the generation-managed decryption key has a generation numberas renewal information correlated therewith, and for decryption ofencrypted data read from the recording medium, the cryptography meansreads, from the recording medium, a generation number of thegeneration-managed encryption key having been used for encrypting thedata and decrypts the encrypted data with a generation-manageddecryption key corresponding to the thus-read generation number.

According to the sixth aspect of the present invention, there can beprovided an information player for playing back information from arecording medium, the apparatus including: a cryptography means fordecrypting information read from the recording medium by a cryptographywith a generation-managed decryption key which is renewed to a differentkey for each generation; and a key renewing terminal connectinginterface for connection of a key renewing terminal which makes acomparison between generation information on a device-storedgeneration-managed encryption key stored in a storage means of theinformation player and recording generation information which isgeneration information having been used for recording the information tothe recording medium and acquires a generation-managed decryption key ofa generation as young as or younger than that indicated by thegeneration information on the device-stored generation-manageddecryption key when the comparison result is that the recordinggeneration information is newer than the generation information on thedevice-stored generation-managed decryption key.

Further in the above information player according to the presentinvention, a mutual authentication with a key serving means is effectedwhen the key acquiring means is going to acquire the generation-manageddecryption key, and the acquisition of the generation-managed key iseffected only when the mutual authentication with the key serving meanshas successfully been made.

Further in the above information player according to the presentinvention, there are provided a node key unique to each of nodesincluded in a hierarchical tree structure including a plurality ofdifferent information players each as a leaf and a leaf key unique toeach of the information players, and the generation-managed decryptionkey is a key which can be renewed with at least either the node key orleaf key.

Further in the above information player according to the presentinvention, the generation-managed decryption key is a master key commonto the plurality of information players.

Further in the above information player according to the presentinvention, the node key can be renewed, there is distributed, when anode key is to be renewed, a key renewal block (KRB) derived fromdecryption of the renewed node key with at least either a node key orleaf key on a lower stage of the tree structure to an information playerat a leaf where the node key has to be renewed, and the cryptographymeans in the information player receives renewal data for thegeneration-managed decryption key encrypted with the renewed node key,encrypts the key renewal block (KRB) to acquire the renewed node key,and acquires renewal data for the generation-managed decryption keybased on the thus-acquired renewed node key.

Further in the above information player according to the presentinvention, the key renewal block (KRB) is stored in a recording mediumand the cryptography means encrypts the key renewal block (KRB) readfrom the recording medium.

Further in the above information player according to the presentinvention, the generation-managed decryption key has a generation numberas renewal information correlated therewith, and for decryption ofencrypted data read from the recording medium, the cryptography meansreads, from the recording medium, a generation number of thegeneration-managed encryption key having been used for encrypting thedata and decrypts the encrypted data with a generation-manageddecryption key corresponding to the thus-read generation number.

According to the seventh aspect of the present invention, there can beprovided an information recording method for recording information to arecording medium, the method including the steps of: encryptinginformation to be recorded to the recording medium by a cryptographywith a generation-managed encryption key which is renewed to a differentkey for each generation; making a comparison between generationinformation on a device-stored generation-managed encryption key storedin a storage means of an information recorder and prerecordinggeneration information which is recording-medium generation informationprestored in the recording medium; and outputting a warning when thecomparison result is that the prerecording generation information isnewer than the generation information on the device-storedgeneration-managed encryption key.

According to the eighth aspect of the present invention, there can beprovided an information recording method for recording information to arecording medium, the method including the steps of: encryptinginformation to be recorded to the recording medium by a cryptographywith a generation-managed encryption key which is renewed to a differentkey for each generation; and making a comparison between generationinformation on a device-stored generation-managed encryption key storedin a storage means of the information recorder and prerecordinggeneration information which is recording-medium generation informationprestored in the recording medium; and acquiring a generation-managedencryption key of a generation as young as or younger than thatindicated by the prerecording generation information when the comparisonresult is that the prerecording generation information is newer than thegeneration information on the device-stored generation-managedencryption key.

Further in the above information recording method according to thepresent invention, the key acquiring step further includes the steps of:renewing the generation-managed encryption key with at least either anode key unique to each of nodes included in a hierarchical treestructure including a plurality of different information recorders eachas a leaf or a leaf key unique to each of the information recorders; andencrypting data to be recorded into the recording medium with thegeneration-managed encryption key renewed in the renewing step.

Further in the above information recording method according to thepresent invention, the generation-managed encryption key is a master keycommon to the plurality of information recorders.

Further in the above information recording method according to thepresent invention, the node key can be renewed; there is distributed,when a node key is to be renewed, a key renewal block (KRB) derived fromencryption of the renewed node key with at least either a node key orleaf key on a lower stage of the tree structure to an informationrecorder at a leaf where the node key has to be renewed; and therenewing step further including the steps of: acquiring a renewed nodekey by encryption of the key renewal block (KRB); and calculatingrenewal data for the generation-managed encryption key based on thethus-acquired renewed node key.

Further in the above information recording method according to thepresent invention, the generation-managed encryption key has ageneration number as renewal information correlated therewith; and theencrypting step further includes the step of: storing, as a recordinggeneration number into the recording medium, a generation number of thegeneration-managed encryption key having been used for storing encrypteddata into the recording medium.

According to the ninth aspect of the present invention, there can beprovided an information playback method for playing back informationfrom a recording medium, the method including the steps of: decryptinginformation read from the recording medium by a cryptography with ageneration-managed encryption key which is renewed to a different keyfor each generation; making a comparison between generation informationon a device-stored generation-managed decryption key stored in a storagemeans of the information player and recording generation informationwhich is generation information having been used for recording theinformation to the recording medium; and outputting a warning when thecomparison result is that the recording generation information is newerthan the generation information on the device-stored generation-manageddecryption key.

According to the tenth aspect of the present invention, there can beprovided an information playback method for playing back informationfrom a recording medium, the method including: decrypting informationread from the recording medium by a cryptography with ageneration-managed decryption key which is renewed to a different keyfor each generation; making a comparison between generation informationon a device-stored generation-managed decryption key stored in a storagemeans of the information recorder/player and recording generationinformation which is generation information having been used forrecording the information; and acquiring a generation-managed decryptionkey of a generation as young as or younger than that indicated by therecording generation information when the comparison result is that therecording generation information is newer than the generationinformation on the device-stored generation-managed decryption key.

Further in the above information playback method according to thepresent invention, the key acquiring step further includes the steps of:renewing the generation-managed decryption key with at least either anode key unique to each of nodes included in a hierarchical treestructure including a plurality of different information players each asa leaf or a leaf key unique to each of the information players; anddecrypting data to be recorded into the recording medium with thegeneration-managed decryption key renewed in the renewing step.

Further in the above information playback method according to thepresent invention, the generation-managed decryption key is a master keycommon to the plurality of information players.

Further in the above information playback method according to thepresent invention, the node key can be renewed; there is distributed,when a node key is to be renewed, a key renewal block (KRB) derived fromencryption of the renewed node key with at least either a node key orleaf key on a lower stage of the tree structure to an information playerat a leaf where the node key has to be renewed; and the renewing stepfurther including the steps of: acquiring a renewed node key byencryption of the key renewal block (KRB); and calculating renewal datafor the generation-managed decryption key based on the thus-acquiredrenewed node key.

Further in the above information playback method according to thepresent invention, the generation-managed decryption key has ageneration number as renewal information correlated therewith; and thedecrypting step further includes the step of: reading a generationnumber of the generation-managed encryption key having been used forencrypting the data from the recording medium; and decrypting theencrypted data read from the recording medium with a generation-manageddecryption key corresponding to the thus-read generation number.

According to the eleventh aspect of the present invention, there can beprovided an information recording medium to which information can berecorded, the medium having stored therein: prerecording generationinformation as generation information on a key allowed as an encryptionkey usable for writing encrypted data to the information recordingmedium or a decryption key usable for decrypting data read from theinformation recording medium.

Also in the above information recording medium according to the presentinvention, the prerecording generation information is recorded in anon-writable area thereof.

According to the twelfth aspect of the present invention, there can beprovided a key renewing terminal for serving a renewedgeneration-managed key to an information recorder or player having acryptography means for encrypting information to be recorded to arecording medium or an information recorder or player having acryptography means for decrypting information read from a recordingmedium, each by a cryptography with a generation-managed key which canbe renewed to a different key for each generation, the apparatusincluding: an interface connectable to the information recorder orplayer; means for communications with outside; and means for controllingeach of acquisition of a device-unique identifier from the informationrecorder or player via the interface, transmission of the device-uniqueidentifier via the communications means, and transfer of the renewedgeneration-managed key to the information recorder or player via theinterface.

According to the thirteenth aspect of the present invention, there canbe provided a key renewing terminal for serving a renewedgeneration-managed key to an information recorder or player having acryptography means for encrypting information to be recorded to arecording medium or an information recorder or player having acryptography means for decrypting information read from a recordingmedium, each by a cryptography with a generation-managed key which canbe renewed to a different key for each generation, the apparatusincluding: an interface connectable to the information recorder orplayer; a storage means having stored therein a key table in which ageneration-managed key encrypted with a device-unique encryption key iscorrelated with an identifier unique to the information recorder orplayer; and means for controlling each of acquisition of thedevice-unique identifier from the information recorder or player via theinterface, acquisition, based on the device-unique identifier, of anencrypted generation-managed key corresponding to the device-uniqueidentifier from the storage means, and transfer of the renewedgeneration-managed key to the information recorder or player via theinterface.

Also in the above key renewing terminal according to the presentinvention, a mutual authentication is effected with the informationrecorder or player; and the generation-managed key is served to theinformation recorder or player only when the mutual authentication hassuccessfully be made.

According to the fourteenth aspect of the present invention, there canbe provided a generation-managed key renewing method for serving arenewed generation-managed key to an information recorder or playerhaving a cryptography means for encrypting information to be recorded toa recording medium or an information recorder or player having acryptography means for decrypting information read from a recordingmedium, each by a cryptography with a generation-managed key which canbe renewed to a different key for each generation, the method includingthe steps of: connecting a key renewing terminal including an interfaceconnectable to the information recorder or player and means forcommunications with outside to the information recorder or player;acquiring a device-unique identifier from the information recorder orplayer via the interface; transmitting the device-unique identifier viathe communications means; receiving the renewed generation-managed keyvia the communications means; and transferring the renewedgeneration-managed key to the information recorder or player via theinterface.

According to the fifteenth aspect of the present invention, there can beprovided a generation-managed key renewing method for serving a renewedgeneration-managed key to an information recorder or player having acryptography means for encrypting information to be recorded to arecording medium or an information recorder having a cryptography meansfor decrypting information read from a recording medium, each by acryptography with a generation-managed key which can be renewed to adifferent key for each generation, the method including the steps of:connecting a key renewing terminal including an interface connectable tothe information recorder or player and a storage means having storedtherein a key table in which a generation-managed key encrypted with anencryption key unique to a device-unique key is correlated with adevice-unique identifier of the information recorder or player to theinformation recorder or player; acquiring the device-unique identifierfrom the information recorder or player via the interface; acquiring,based on the device-unique identifier, an encrypted generation-managedkey corresponding to the device-unique key from the storage means; andtransferring a renewed generation-managed key to the informationrecorder or player via the interface.

Also in the above generation-managed key renewing method according tothe present invention, a mutual authentication is effected with theinformation recorder or player; and the renewed generation-managed keyis served to the information recorder or player only when the mutualauthentication has successfully be made.

According to the sixteenth aspect of the present invention, there can beprovided a program serving medium for serving a computer program underwhich information is recorded to a recording medium in a computersystem, the computer program including the steps of: making a comparisonbetween generation information on a device-stored generation-managedencryption key stored in a storage means of an information recorder andprerecording generation information which is recording-medium generationinformation prestored in the recording medium; encrypting information tobe stored into the recording medium by a cryptography with ageneration-managed encryption key which can be renewed to a differentkey for each generation; and effecting at least either outputting of awarning or acquisition of a generation-managed encryption key of ageneration as young as or younger than that indicated by the generationinformation on the device-stored generation-managed encryption key whenthe comparison result is that the prerecording generation information isnewer than the generation information on the device-storedgeneration-managed encryption key.

Further in the above program serving medium according to the presentinvention, the computer program further including the step of renewingthe generation-managed encryption key by encryption of encrypted dataread from the recording medium with at least either a node key unique toeach of nodes included in a hierarchical tree structure including aplurality of different information recorders each as a leaf or a leafkey unique to each of the information recorders.

According to the seventeenth aspect of the present invention, there canbe provided a program serving medium for serving a computer programunder which information is recorded to a recording medium in a computersystem, the computer program including the steps of: making a comparisonbetween generation information on a device-stored generation-managedencryption key stored in a storage means of an information player andrecording generation information which is generation information havingbeen used for recording the information to the recording medium;decrypting information read from the recording medium by a cryptographywith a generation-managed decryption key which can be renewed to adifferent key for each generation; and effecting at least eitheroutputting of a warning or acquisition of a generation-managedencryption key of a generation as young as or younger than thatindicated by the generation information on the device-storedgeneration-managed decryption key when the comparison result is that therecording generation information is newer than the generationinformation on the device-stored generation-managed decryption key.

Further in the above program serving medium according to the presentinvention, the computer program further including the step of renewingthe generation-managed decryption key by decryption of encrypted dataread from the recording medium with at least either a node key unique toeach of nodes included in a hierarchical tree structure including aplurality of different information players each as a leaf or a leaf keyunique to each of the information players.

According to the present invention, when the generation of a master keyheld in a player is older than the generation at which data has beenrecorded so that the data cannot be played back, the user is prompted torenew the master key and acquire a necessary master key for playback ofthe data. The master key is acquired using a transmission medium such asa medium other than a recording medium having the data recorded therein,network or the like, and the data is played back with the thus-acquiredmaster key.

Also according to the present invention, when the generation of a masterkey held in a recorder is older than a generation of a master keynecessary for recording data to a recording medium so that the datacannot be recorded, the user is prompted to renew the master key andacquire a necessary master key for recording the data. The master key isacquired using a transmission medium such as a medium other than therecording medium to which the data is to be recorded, network or thelike, and the data is recorded with the thus-acquired master key.

Note that the program serving media according to the sixteenth andseventeenth aspects of the present invention are for example a mediumwhich serves a computer program in a computer-readable form to ageneral-purpose computer system capable of executing various programcodes. The medium is not limited to any special form but it may be anyof recording media such as CD, FD, MO, etc. and transmission media suchas a network.

The above program serving media define a structural or functionalcollaboration between a computer program and medium to perform functionsof a predetermined computer program in a computer system. In otherwords, when the computer program is installed in a computer system viathe program serving medium, it will work collaboratively in the computersystem to provide the similar effects to those in the other aspects ofthe present invention.

These objects and other objects, features and advantages of the presentinvention will become more apparent from the following detaileddescription of the preferred embodiments of the present invention whentaken in conjunction with the accompanying drawings.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 is a block diagram showing the construction of the cryptographyunit included in the information recorder/player of the presentinvention.

FIG. 2 illustrates the master key management in the informationrecorder/player according to the present invention.

FIG. 3 shows a flow of operations effected in renewal of a master key inthe information recorder/player according to the present invention.

FIG. 4 is a block diagram showing the master key renewal in theinformation recorder/player according to the present invention.

FIG. 5 shows a flow of operations effected in information playback inthe information recorder/player according to the present invention.

FIG. 6 is a block diagram showing the construction of the informationrecorder/player (embodiment 1) according to the present invention.

FIG. 7 is a block diagram showing the construction of the cryptographyunit capable of a strict master key generation management in theinformation recorder/player according to the present invention.

FIG. 8 shows the master key management in the informationrecorder/player according to the present invention, capable of thestrict master key management.

FIG. 9 shows a flow of operations effected in content recording in theinformation recorder/player according to the present invention, capableof the strict master key management.

FIG. 10 shows a flow of operations effected in master key renewal in theinformation recorder/player according to the present invention, capableof the strict master key management.

FIG. 11 shows the storage of master key generation information in theinformation recorder/player according to the present invention, capableof the strict master key management.

FIG. 12 shows a flow of operations effected in content playback in theinformation recorder/player according to the present invention, capableof the strict master key management.

FIG. 13 is a block diagram showing the construction of the informationrecorder/player (embodiment 2) according to the present invention.

FIG. 14 shows a flow of operations effected in content recording in theinformation recorder/player (embodiment 2) according to the presentinvention, capable of the strict master key management.

FIG. 15 shows a flow of operations effected in content playback in theinformation recorder/player (embodiment 2) according to the presentinvention, capable of the strict master key management.

FIG. 16 is a block diagram showing the construction of the informationrecorder/player (embodiment 3) according to the present invention.

FIG. 17 shows a flow of operations effected in content recording in theinformation recorder/player (embodiment 3) according to the presentinvention, capable of the strict master key management.

FIG. 18 shows a sequence of authentication (common key system)applicable to the key acquisition in the information recorder/playeraccording to the present invention.

FIG. 19 shows a sequence of authentication (public key system)applicable to the key acquisition in the information recorder/playeraccording to the present invention.

FIG. 20 shows the configuration of a public key certificate used in theauthentication application to key acquisition in the informationrecorder/player according to the present invention.

FIG. 21 shows the configuration of a revocation list in the informationrecorder/player according to the present invention.

FIG. 22 shows the configuration of registration list in the informationrecorder/player according to the present invention.

FIG. 23 shows a flow of operations effected in content playback in theinformation recorder/player according to the present invention.

FIG. 24 is a block diagram showing the construction of the key renewingterminal used in the information recorder/player according to thepresent invention.

FIG. 25 is a block diagram explaining an example (1) of the key renewalwith the key renewing terminal in the information recorder/playeraccording to the present invention.

FIG. 26 shows a sequence of authentication (common key system) using thekey renewing terminal, applicable to the key acquisition in theinformation recorder/player according to the present invention.

FIG. 27 shows a sequence of authentication (public key system) using thekey renewing terminal, applicable to the key acquisition in theinformation recorder/player according to the present invention.

FIG. 28 shows an example of the key table held in a key issuinginstitute, used in the key acquisition by the key renewing terminal inthe information recorder/player according to the present invention.

FIG. 29 is a block diagram explaining an example (2) of the key renewalwith the key renewing terminal in the information recorder/playeraccording to the present invention.

FIG. 30 is a block diagram explaining an example (3) of the key renewalwith the key renewing terminal in the information recorder/playeraccording to the present invention.

FIG. 31 is a block diagram explaining an example (4) of the key renewalwith the key renewing terminal in the information recorder/playeraccording to the present invention.

FIG. 32 shows a tree structure diagram explaining the encryption of keyssuch as a master key, medium key and the like in the informationrecorder/player according to the present invention.

FIGS. 33A and 33B show examples of the key renewal block (KRB) used indistribution of keys such as a master key, medium key and the like is ablock diagram (1) explaining the key renewal with the key renewingterminal in the information recorder/player according to the presentinvention.

FIG. 34 shows examples of key distribution and decryption using therenewal key block (KRB) for the master key in the informationrecorder/player according to the present invention.

FIG. 35 shows a flow of operations made in the decryption using the keyrenewal block (KRB) for the master key in the informationrecorder/player according to the present invention.

FIG. 36 is a block diagram explaining a procedure, followed in theinformation recorder/player according to the present invention, forreceiving KRB from outside via a communications means or the like andstoring it into a recording medium.

FIG. 37 shows a flow of operations effected in receiving KRB fromoutside via the communications means or the like and storing into arecording medium in the information recorder/player according to thepresent invention.

FIG. 38 explains the procedure, followed in the informationrecorder/player according to the present invention, for receiving KRBfrom outside via the communications means or the like and storing itinto a recording medium.

FIG. 39 shows an example of the recording medium usable in the systemaccording to the present invention.

FIG. 40 is a block diagram showing the construction of the dataprocessor which processes data by software in the informationrecorder/player according to the present invention.

BEST MODE FOR CARRYING OUT THE INVENTION

[1. Basic System Configuration for Master Key Generation Management]

Referring now to FIG. 1, there is schematically illustrated in the formof a block diagram one embodiment of the information player according tothe present invention, showing mainly the cryptography unit. Theinformation player is generally indicated with a reference 100. Theinformation player 100 includes a device key holder 101 which holds adevice key DK_j assigned to the information player 100. The informationrecorder/player 100 includes also an encrypted data holder 102 whichholds an encrypted master key C(j, i) (master key MK_i encrypted withthe device key DK). The relation between the device key DK_j, master keyMK_i and encrypted master key C(j, i) is expressed by C(j, i)=Enc(DK_j,MK_i).

Note that the “i” indicates a generation number of the master key, “j”indicates a category number. The category number is a number assigned toa device such as an information player or the like. It is assigned toeach predetermined unit such as a device, device manufacturer, devicemodel, device lot or a predetermined number of the devices, for example,a serial number appended to a device. The device key DK_j will bereferred to simply as “device key DK” hereunder wherever the device keyDK_j has not to be identified with a category number j. Similarly, themasker key MK will be referred to simply as “master key MK” hereunderwherever it has not to be identified with the generation number i.Correspondingly, the encrypted master key C(j, i) will be referred tosimply as “encrypted master key C” hereunder.

The device key DK and encrypted master key C are granted to a devicefrom a key issuing institute, and prestored. The key issuing institutestores the encrypted master key MK while confidentially storing thedevice key DK in correlation with the category number j.

The information player 100 further includes a master key decryption unit103 which uses the device key DK held in the device key holder 101 todecrypt the encrypted master key C stored in the encrypted data holder102, thereby acquiring the master key MK. That is, on the assumptionthat a function by which encrypted data X is decrypted with a key Y isDEC(X, Y), the master key decryption unit 103 calculates an equationMK_i=DEC(DK_j, C(j,i)). The master key MK thus acquired is supplied to acryptanalysis unit 104 also included in the information player 100.

The cryptanalysis unit 104 uses the master key MK supplied from themaster key decryption unit 103 to cryptanalyze data encrypted with themaster key MK, read by the data reader 105 from a recording medium(optical disc) 150 or the like. More particularly, the recording medium150 has recorded therein data having been encrypted with the master keyMK, and the cryptanalysis unit 104 cryptanalyzes (decrypts) theencrypted data with the master key MK. When the cryptanalyzed data isimage data for example, it will be outputted to a display device anddisplayed thereon. Also a data reader 105 is included in the informationplayer 100. For renewing the master key MK as will be described later,the data reader 105 will read, from the recording medium (optical disc)150 having recorded therein data to be renewed, the encrypted master keyC derived from encryption of the master key MK with the device key DK,and outputs it to the encrypted data holder 102.

Next, the renewal of the master key MK in the information player 100will be described. The master key MK is renewed irregularly, forexample, when the master key MK_i having a generation number i has beenuncovered by an attacker or the like, or regularly at predeterminedintervals. In the following, it is assumed that for renewal of themaster key MK_i, an optical disc having recorded therein a master keyMK_i having been encrypted with the device keys DK_j of all the devices(encrypted master key C(j, i)) is distributed from the key issuinginstitute to the information player 100. Note that the encrypted masterkey C(j, i) may of course be distributed via a recording medium otherthan an optical disc or via a network such as the Internet. Also, therecording medium (optical disc) 150 has not to be a one dedicated forrenewal of the master key MK_i but may be a one having recorded thereina content such as video data, audio data or the like or a one to which acontent can be recorded in future.

FIG. 2 shows an example of the encrypted master key C(j, i) recorded inthe recording medium (optical disc) 150. This is an example of therenewal of a master key MK_i of a generation i to a master key MK_i+1 ofa generation i+1. That is, the optical disc 150 has recorded therein acategory number j and an encrypted master key C(j, i+1) derived fromencryption of the master key MK_i+1 with the device key DK_j of thecategory number j as correlated with each other.

As will be seen from FIG. 2, the master key MK_i+1 is common to allcategory numbers j, namely, to all devices. Thus, this commonization ofthe master key MK to all devices enables licensed devices each holding aformal device key DK to use data encrypted with the master key MK incommon, namely, to keep the interoperability. Any device not holding theformal device key DK is not allowed to decrypt the master key MK, andthus cannot decrypt data having been encrypted with the master key MK.

For instance, when a device of a category number 2 has been attacked byan attacker and it is known that the device key DK_2 has been opened,the field for an encrypted master key C(2, i+1) corresponding to thecategory number 2, of the data for renewing the master key MK (encryptedmaster key C(j, i+1)), will be blanked as shown in FIG. 2. Thus, bygranting no master key MK_i+1 of a new generation to the device whosedevice key DK has been uncovered due to such an attacking, it ispossible to remove the device having the device key DK_(—)2 from a groupof devices each having a legal right of use.

Referring now to FIG. 3, there is shown a flow of operations effected inrenewal of the master key. The operations of the information player forrenewing the master key MK_i of a generation i to a master key MK_i+1 ofa generation i+1 will be described below with reference to the flowchart. In step S301, the recording medium (optical disc) 150 havingrecorded therein data for renewal of the above-mentioned master key MKis set by the user into the information player. In step S302, the datareader 105 in the information player reads, from the thus-set opticaldisc 150, an encrypted master key C(j, i+1) assigned to the categorynumber i of the information player (stored device key DK). For example,when the category number j is “3”, the data reader 105 will read anencrypted master key C(3, i+1).

The encrypted master key C(j, i+1) thus read is stored into theencrypted data holder 102 in step S303. Thus, only the renewed masterkey C(j, i+1) is stored in the encrypted data holder 102.

For playback of data having been encrypted with the master key MKrecorded in the optical disc 150 by the use of the master key C(j, i+1)stored in the encrypted data bolder 102, the master key decryption unit103 the encrypted master key C(j, i+1) stored in the encrypted dataholder 102 with a device key DK_j held in the device key holder 101 toacquire a master key MK_i+1 as shown in FIG. 4. Then, the encrypted datarecorded in the recording medium (optical disc) 150 is decrypted withthe master key MK_i+1.

FIG. 5 show a flow of operations made in this data playback procedure.First in step S5001, the data reader 105 in the information player readsdata from the recording medium (optical disc) 150 set in the informationplayer. It should be reminded that the recording medium (optical disc)150 includes a lead-in area and data area and the lead-in area hasrecorded therein file names and TOC (table of contents) such asdirectory information of data recorded in the data area. Also, thelead-in area has recorded therein data (generation information)indicating the generation of a master key MK having been used to encryptthe data in the data area. Note that the generation informationindicates the generation of a master key MK used for encryption of datato be recorded. So, the generation information will be referred to as“recording generation information” hereunder wherever appropriate.

In step S501, the data reader 105 reads data from the lead-in area andthe information player goes to step S502 where the master key decryptionunit 103 will check, based on the data read by the data reader 105 andsupplied via the encrypted data holder 102, the generation i of themaster key MK having been used to encrypt the data in the data area ofthe recording medium 150. Then, the information player goes to step S503where the master key decryption unit 103 will create a master key MK_ifor the generation i of the master key MK it has examined.

For example, when the generation of the thus-examined master key MK isthe latest generation i+1, the master key decryption unit 103 will usethe device key DK held in the device key holder 101 to decrypt theencrypted master key C(j, i+1) stored in the encrypted data holder 102,to thereby create a master key MK_i+1.

When the generation of the master key MK having been examined as in theabove is a one older than held in the encrypted data holder 102, themaster key decryption unit 103 will create a master key MK of thatgeneration from the encrypted master key C stored in the encrypted dataholder 102. That is to say, the master key decryption unit 103 decryptsfirst the master key MK_i+1 as in the above. Further, the master keydecryption unit 103 holds a one-way function f and applies the masterkey MK_i+1 to the one-way function f a number of times corresponding toa difference between the generation of the master key MK_i+1 andexamined generation of the master key MK, thereby creating a master keyMK of the examined generation.

For example, when the generation number of the master key MK stored inthe encrypted data holder 102 is i+1 and that of the master key MK readas in the above is i−1, the master key MK_i−1 is created by the masterkey decryption unit 103 using the one-way function f twice andcalculating f(f(MK_i+1)). When the generation number of the master keyMK stored in the encrypted data holder 102 is i+1 and that of the masterkey MK read as in the above is a generation i−2, the master key MK_i−2is created by the master key decryption unit 103 using the one-wayfunction f three times and calculating f(f(f(MK_i+1))).

It should be reminded herein that the one-way function may be forexample the hash function. More particularly, it may be for example MD5(message digest 5), SHA-1 (secure hash algorithm-1) or the like. The keyissuing institute predetermines master keys MK_(—)1, MK_(—)2, . . . ,MK_N from which master keys each of a generation older than thegeneration of a master key for the device in consideration can becreated using the one-way function. That is, first of all, a master keyMK-N having a generation number N is set, the one-way function isapplied once to the master key MK_N for each generation to bedetermined, thereby sequentially creating the master keys MK_N−1,MK_N−2, . . . , MK_(—)1 older than the master key MK_N. Then, the masterkeys thus created are used in sequence starting with the master keyMK_(—)1 of the oldest generation. Assume here that the one-way functionused for creation of a master key of a generation older than thegeneration of a master key fro the device in consideration, is set inthe master key decryption unit 103 of each of the information players.

Also, the one-way function may be the public key cryptography forexample. In this case, the key issuing institute has a private key basedon the public key cryptography and gives a public ken for the privatekey to each of the information players. The key issuing institute sets amaster key MK_(—)1 of the first generation and uses the master keyMK_(—)1 first. That is, when a master key MK_i of the second generationis required, the key issuing institute creates it for use by convertinga master key MK_i−1 of a generation one generation older than the masterkey MK_i with the private key. This is also applicable to any masterkeys of the third and subsequent generations. In this case, the keyissuing institute has not to create a master key having the generationnumber N using the one-way function in advance. Theoretically, thismethod can be used to create master keys of an infinite number ofgenerations.

Note that if the information player has a master key MK of a generation,it can acquire a master key of a generation older than that generationby converting the master key MK with the public key.

As in the above, the master key decryption unit 103 can use a master keyC derived from encryption of a master key MK of the latest generation tocreate a master key MK of a generation older than the generation. So,the encrypted data holder 102 has only to have stored therein theencrypted master key C of the master key MK of the latest generation.

When the master key MK of the generation examined in step S503 iscreated (decrypted), the data reader 105 reads data from the data areain the recording medium (optical disc) 150 in step S504. Further in stepS504, the cryptanalysis unit 104 will use the master key MK acquired instep S503 to cryptanalyze (decrypt) the data read by the data reader105. When the data thus cryptanalyzed (decrypted) is image data forexample, it is outputted to a display device and displayed thereon instep S505.

Since a master key MK from which a master key of a generation older thanthe generation of the master key for the device in consideration can becreated is renewed by encrypting the master key MK with a device key DKheld by each device and distributing it to each device, as it the above,it is possible to renew the master key MK and remove a device holding anuncovered device key DK while maintaining the interoperability. Also,since each device having a master key MK of the latest generation cancreate a designated master key MK using the one-way function f, thedevice may have a correspondingly reduced memory capacity.

In the information player, the master key MK used for decryption of datais discarded after completion of the decryption. When the master key MKbecomes necessary again, a corresponding one can be created bydecrypting the encrypted master key C with the device key DK. In theinformation player, it is possible to prevent the master key MK frombeing less confidential because it is left unencrypted.

In this embodiment, only an encrypted master key C of a generation whichis a one after the master key C is renewal is stored in the encrypteddata holder 102. In addition, however, an encrypted master key C of eachgeneration may be stored in the encrypted data holder 102. In this case,since the master key MK of each generation may not be acquired bycalculation, so the data processing burden will be reducedcorrespondingly.

Note that since the master keys MK_(—)1, MK_(—)2, . . . , MK_N fromwhich master keys of generations older than those of them can be createdusing the one-way function, cannot be used to create master keys ofgenerations younger than those of them as in the above, so no data canbe decrypted with a master key MK of a new generation created from amaster key of an older generation.

It should be reminded however that renewing of a master key MK permitsto protect data encrypted with any master key MK of a generation whichis a one after the master key MK is renewed but there is some problem inprotection of data encrypted with any master key MK not yet renewed.More particularly, the above-mentioned master key renewing method has aproblem that it is applicable to a recorded which records data encryptedwith a master key and data encrypted with a master key of a generationolder than that of the master key used to encrypt the data, can beplayed back from a recording medium by an information player having beenattacked by an attacker and not given any master key MK of a newgeneration (that is, a device to be revoked) but which has a master keyMK of a generation older than that of the master key used to encryptedthe data, as in the above.

Therefore, if a recorder in which data is encrypted with a master key MKof an older generation, that is, a recorder in which the master key MKis not renewed or cannot be renewed, is used for a long time, the datawill possibly be decrypted by an inappropriate information player, thatis, an information player not given any master key MK of a newgeneration, sometime in the long time of operation.

[2. System Configuration for Strict Management of Master Key Generation]

(2.1 Recorder/Player Construction)

Referring now to FIG. 6, there is illustrated in the form of a blockdiagram of one embodiment of the information recorder/player constructedto solve the above drawbacks according to the present invention. Theinformation recorder/player is generally indicated with a reference 600in FIG. 6. The information recorder/player 600 includes a bus 610,digital I/F (interface) 620, MPEG (Moving Pictures Experts Group) code630, cryptography unit 650 formed from an encryption/decryption LSI(large scale integrated circuit), CPU (central processing unit) 670,memory 680, recording medium I/F 690 and a user I/F 660, all connectedto each other.

The digital I/F 620 receives digital signals as a content supplied fromoutside and outputs them to the bus 610, while receiving digital signalson the bus 610 and outputting them to outside. The MPEG codec 630 makesan MPEG decoding of MPEG-encoded data supplied via the bus 610 andoutputs the data to an A/D converter and D/A converter combination 635also included in the information recorder/player 600, while making anMPEG encoding of digital signals supplied from the A/D converter and D/Aconverter combination 635 and outputting the data to the bus 610.

The A/D converter and D/A converter combination 635 makes a D/A(digital/analog) conversion of the MPEG-decoded digital signals suppliedfrom the MPEG codec 630 to analog signals and supplies the analogsignals to an analog I/F 640 also included in the informationrecorder/player 600, while making an A/D (analog/digital) conversion ofthe digital signals supplied from the A/D converter and D/A convertercombination 635 to analog signals and outputting the analog signals tothe MPEG codec 630. The analog I/F 640 receives analog signals as acontent supplied from outside and outputs the analog signals to the A/Dconverter and D/A converter combination 635 while outputting the analogsignals to outside.

The cryptography unit 650 is formed from a one-chip LSI for example. Itencrypts or decrypts digital signals as a content supplied via the bus610 and outputs the data to the bus 610. Note that the cryptography unit650 is not limited to the one-chip LSI but may be formed from acombination of various kinds of software or hardware. The constructionof such a software-formed cryptography unit will further be describedlater.

The CPU 670 executes a program stored in the memory 680 to control theMPEG codec 630, cryptography unit 650, etc and also makes a variety ofprocessing operations. The memory 680 is for example a nonvolatilememory and stores programs to be executed by the CPU 670 and necessarydata for operations of the CPU 670. The recording medium I/F 690 reads(plays back) digital data, for example, from a recording medium 200 suchas an optical disc or the like and outputs the data to the bus 610,while supplying digital data supplied from the bus 610 to the recordingmedium 200 for recording.

The user I/F 660 includes a display unit and input unit (not shown). Itprovides information to the user, receives an instruction from the user,and outputs it to the bus 610.

(2.2 Cryptography Unit Construction)

Next, the cryptography unit 650 (ex. Encryption/decryption LSI) shown inFIG. 6 will be described in detail with reference to FIG. 7. Note thatthe components of the cryptography unit 650, corresponding to those ofthe information recorder/player shown in FIG. 1, are indicated with thesame references and will not further be described wherever appropriate.

As shown, the cryptography unit 650 includes an encoder 701. The encoder701 encrypts a plain content (unencrypted content) supplied via the bus610 with a master key MK supplied from the master key decryption unit103 to provide an encrypted data (encrypted content) and outputs theencrypted content to the bus 610. The cryptography unit 650 includesalso a decoder 702 which decrypts an encrypted content supplied via thebus 610 with a master key MK fro the master key decryption unit 103 toprovide an unencrypted content and outputs the unencrypted content tothe bus 610. The cryptography unit 650 includes also a master keyrenewal unit 703 which controls renewal of a master key MK stored in theencrypted data holder 102.

(2.3 Key Table Format)

FIG. 8 shows an example format of the recording medium 200 to or fromwhich the recorder/player 600 in FIG. 6 records data or plays back data.FIG. 8 shows the recording medium 200 similar to the recording medium(optical disc) 150 in FIG. 2 and having stored therein a key table basedon which a master key MK_i of a generation i is renewed to a master keyMK_i+1 of a generation i+1. The recording medium 200 has recordedtherein a table (key table) in which a category number j and encryptedmaster key C(j, i+1) correlated with each other as in the optical disc150. The recording medium 200 has further recorded therein generationinformation (Generation #n) indicative of the oldest generation of anecessary master key MK for recording or playback of data to therecording medium 200. It should be reminded that the generationinformation Generation #n is prerecorded in a recording medium duringproduction of the latter for example. For differentiation from theabove-mentioned recording generation information, the generationinformation Generation #n will be referred to as “prerecordinggeneration information (prerecording Generation #n) hereunder whereverappropriate.

The smallest generation number of the necessary master key MK forrecording and playback of data to the recording medium 200 shown in FIG.8 is n. The generation number n is granted as a sequential generationnumber for example. In case the generation number of a master key storedin the memory of the recorder/player 600 is smaller than n, recording ofdata to the recording medium 200 in FIG. 8, or playback of data from therecording medium shown in FIG. 8, will be rejected.

The recording medium 200 shown in FIG. 8 is a one permitting to acquirea master key MK_i+1 by decryption of an encrypted master key C(i+1)stored in the key table with a device key DK stored in eachrecorder/player.

Note that all recording medium have not a key table stored therein. Incase a recording medium 200 having recorded therein only a generationnumber (prerecording generation number) is set in the recorder/player600 for data recording or playback, the recorder/player 600 will make acomparison between the generation number (prerecording generationnumber) and generation number of a master key stored in therecorder/player. If the generation number of the master key stored inthe memory of the recorder/player 600 is smaller than the generationnumber (prerecording generation number) n of the recording medium 200,no data can be recorded to the recording medium 200 shown in FIG. 8 orplayed back from the recording medium 200.

The smallest generation number of the necessary master key MK for datarecording or playback to or from the recording medium 200 in FIG. 8 isn. A recorder/player 600, in which the generation number of the masterkey stored in its own memory is as large as or larger than n, will beable to record data to the recording medium 200. However, if thegeneration number of the master key stored in the memory of therecorder/player 600 is smaller than n, no data recording to therecording medium 200 will be permitted. Data recorded to the recordingmedium 200 by an inappropriate recorder with a master key of an oldergeneration will not be played back by any appropriate player. Also,since data to be legally recorded to the recording medium 200 isencrypted, for recording, with a master key having a generation numberas large as or larger than n without fail, the recorder/player 600 willnot be able to decrypt (play back) the data from the recording medium ifthe generation number of the master key stored in its own memory issmaller than n.

Note that the key table and prerecording generation informationGeneration #n are recorded in an area of the recording medium 200, forexample, the lead-in area (unrewritable area), where they cannot berewritten, whereby the key table and prerecording generation informationGeneration #n can be prevented from illegally being rewritten.

The device is designed so that recording of data to the recording medium200 shown in FIG. 8 cannot be effected (is not permitted) without amaster key MK of a generation later than a generation indicated by theprerecording generation information in the recording medium 200.Therefore, with distribution of the recording medium 200 having aprerecording generation information Generation #n indicating a certaingeneration n, renewal of a master key MK is promoted in a recorder whichrecords data to the recording medium 200 or in the recorder/player shownin FIG. 6 and which can record or play back the prerecording generationinformation, whereby recorders and recorder/players in which there isused a master key of an older generation will be reduced in number withthe result that unauthorized decryption of data is prevented.

That is to say, a recorder having the master key thereof not renewed canrecord data to the recording medium (optical disc) 150 having beendescribed with FIG. 4 for example and in which the prerecordinggeneration information is not recorded, as in the above. Thus, aninformation player having the master key thereof not renewed can playback data from the optical disc 150 in which data has been thusrecorded, while no data recording is permitted to the recording medium200 having the prerecording generation information recorded therein ashaving been described in the above with reference to FIG. 8 unless thereis available to that information player any master key MK of ageneration younger than a generation indicated by the prerecordinggeneration information. Namely, since a master key MK of a generationyounger than the generation indicated by the prerecording generationinformation recorded in the recording medium 200 is required for datarecording to the recording medium 200, it is possible to prevent datafrom being recorded to a recorder having the master key thereof notrenewed.

Note that in this embodiment, it is assumed that the generation of amaster key in the key table recorded in the recording medium 200 isrecorded as prerecording generation information Generation #n. However,the generation number of a master key in the key table recorded in therecording medium 200 should not always be coincident with a generationnumber n indicated by the prerecording generation information Generation#n.

(2.4 Renewal of Master Key)

Next, various processing operations of the recorder/player shown in FIG.6 will be described with reference to FIGS. 9 to 12. First, there willbe described with reference to the flow chart in FIG. 9 renewal of amaser key, which will be effected when the recording medium 200 is setin the recorder/player for recording or playback of data to therecording medium 200.

After the recording medium 200 is set in the recorder/player, first instep S901, the recording medium I/F 690 (in FIG. 6) will read key tablegeneration information Generation #i+1 from the recording medium 200 andsupplies it to the master key renewal unit 703 of the cryptography unit650 (in FIG. 7). The master key renewal unit 703 reads an encryptedmaster key C stored in the encrypted data holder 102, and makes acomparison between the generation number of the encrypted master key andthe generation number i+1 indicated by the key table generationinformation generation #i+1 to judge which one of the generations isyounger or older than the other, in step S902.

If it is judged in step S902 that the generation number i+1 indicated bythe key table generation information Generation #i+1 is not larger thanthe generation number of the encrypted master key C stored in theencrypted data holder 102, namely, if the generation number of theencrypted master key C stored in the encrypted data holder 102 is aslarge as or larger than the generation number i+1 indicated by the keytable generation information Generation #i+1, the recorder/player willskip over steps S903 to S905 and exit the master key renewing procedure.

That is, in this case, since the master key MK (encrypted master key C)stored in the encrypted data holder 102 has not to be renewed, so therenewal will not be effected.

On the other hand, if the generation number i+1 indicated by thegeneration information Generation #i+1 in the key table is judged instep S902 to be larger than the generation number of the encryptedmaster key C stored in the encrypted data holder 102, namely, if thegeneration number of the master key C stored in the encrypted dataholder 102 is smaller than the generation number i+1 indicated by thekey table generation information Generation #i+1, the recorder/playergoes to step S903 where the recording medium I/F 690 will read a keytable from the recording medium 200 (in FIG. 8) and supply it to themaster key renewal unit 703 of the cryptography unit 650 (in FIG. 7).

In step S904, the master key renewal unit 703 judges whether anencrypted master key C assigned to a device number i of the deviceexists in the key table. If the judgment result is that the encryptedmaster key C is not in the key table, the recorder/player skips overstep S905 and exits the master key renewing procedure.

That is to say, in case it is already known that the recorder/player hasbeen attacked by an attacker and the device key DK_j thereof has beenknown to the attacker as having previously been described with referenceto FIG. 2, the field for an encrypted master key C(j, i+1) correspondingto the category number j in the key table is blanked, so that the masterkey MK will not be renewed (cannot be renewed).

On the other hand, if the result of the judgment made in step S904 isthat there exists in the key table the encrypted master key C assignedto the device number j of the recorder/player itself, therecorder/player goes to step S905 where the master key renewal unit 703will supply the encrypted master key C to the encrypted data holder 102where the encrypted master key is replaced with an encrypted master keystored in the holder 102 and stored there, and exit the master keyrenewing procedure.

(2.5 Content Recording)

Next, operations made by the recording/player for recoding data to therecording medium 200 will be described with reference to the flow chartin FIG. 10.

First in step S1001, the recording medium I/F 690 reads the prerecordinggeneration information Generation #n from the recording medium 200 andsupplies it to the CPU 670. The CPU 670 will recognize the generation ofthe encrypted master key C stored in the encrypted data holder 102 ofthe cryptography unit 650 (in FIG. 7), and make a comparison between thegeneration number of the encrypted master key and generation number nindicated by the prerecording generation information Generation #n andjudges which one of the generations is younger or older than the otherin step S1002.

If the generation number of the encrypted master key C stored in theencrypted data holder 102 is judged in step S1002 not to be larger thanthe generation number n indicated by the prerecording generationinformation Generation #n, that is, if the generation number of theencrypted master key C stored in the encrypted data holder 102 issmaller than the generation number n indicated by the prerecordinggeneration information Generation #n, the recorder/player goes to stepS1005.

On the other hand, if the result of the judgment effected in step S1002is that the generation number of the encrypted master key C stored inthe encrypted data holder 102 is larger than the generation number nindicated by the prerecording generation information Generation#n,namely, if the generation number of the encrypted master key C stored inthe encrypted data holder 102 is as large as or larger than thegeneration number n of the prerecording generation informationGeneration #n, the recorder/player goes to step S1003 where the CPU 670will control the recording medium I/F 690 to record the generationinformation indicating the generation of the encrypted master key Cstored in the encrypted data holder 102 as recording generationinformation into the recording medium 200 (in FIG. 8).

Then, in step S1004, a content to be recorded to the recording medium200, supplied to the recorder/player, is encrypted by the cryptographyunit 650 and supplied to the recording medium 200 via the bus 610.

More particularly, supplied with digital signals as a content to berecorded to the recording medium 200, the digital I/F 620 supplies themto the encoder 701 of the cryptography unit 650 (in FIG. 7) via the bus610. Also, supplied with analog signals as a content to be recorded tothe recording medium 200, the analog I/F 640 supplies them to the MPEGcodec 630 via the converter 635. The MPEG codec 630 will make an MPEGencoding of the digital signals supplied from the converter 635 andsupply the data to the encoder 701 of the cryptography unit 650 via thebus 610.

In the cryptography unit 650, the master key decryption unit 103decrypts the encrypted master key C stored in the encrypted data holder102 with the device key DK stored in the device key holder 101 to amaster key MK, and supplies the master key MK to the encoder 701 whichin turn will use the master key MK from the master key decryption unit103 to encrypt unencrypted digital signals (content) supplied theretoand will supply the content thus encrypted to the recording medium I/F690 via the bus 610.

Further in step S1004, the recording medium I/F 690 supplies theencrypted content from the cryptography unit 650 to the recording medium200 for recording, and exits the content recording procedure.

Note that in case the recording medium 200 is a disc-shaped one such asan optical disc for example, the recording generation information isrecorded to a sector header of a sector or the like for example as shownin FIG. 11. That is, a sector is composed of a sector header and a userdata part, and recording generation information is recorded to thesector header of the sector while the content having been encrypted witha master key MK of a generation indicated by the recording generationinformation is recorded to the user data part of the sector. Such amethod for recording generation information is disclosed in detail inthe Japanese Patent Application No. 352975 of 1998 of the Application ofthe present invention.

Also, for recording as a file to the recording medium 200, an encryptedcontent can be recorded to the recording medium 200 in such a mannerthat recording generation information can be managed in correlation withthe file.

In the above, a master key of a generation stored in the encrypted dataholder 102 is used to encrypt a content for recording. Alternatively,however, a master key of a generation indicated by prerecordinggeneration information recorded in the recording medium 200, createdfrom a master key of a generation recorder in the encrypted data holder102, for example, may be used to encrypt a content for recording. Inthis case, since the generation of the master key used for encryption ofa content to be recorded to the recording medium 200 always coincideswith that indicated by the prerecording generation information recordedin the recording medium 200, so it is not necessary to record therecording generation information to the recording medium 200.

On the other hand, in case the recorder/player has gone to step S1005,no data recording to the recording medium 200 is permitted (can be done)if the generation number of the encrypted maser key C stored in theencrypted data holder 102 is smaller than the generation number nindicated by the prerecording generation information Generation #n.

Thus, in step S1005, the content recording procedure is ended withdisplaying a message for prompting to renew the master key to a one of ayounger generation, or giving a warning sound or warning indication, tothe user via the user I/F 660.

When the prompting message or the warning sound or indication are given,the user will follow the message to carry his device to a servicestation of the device manufacturer in order to have the master keyrenewed or follow a method included in the following description of theembodiment to renew the master key. Thus, data will be recordable to therecording medium 200.

(2.6 Content Playback)

Next, operations of the recorder/player for playback of data from therecording medium 200 will be described with reference to the flow chartof FIG. 12.

First in step S1201, the recording medium I/F 690 reads the prerecordinggeneration information Generation #n from the recording medium 200 andsupplies it to the CPU 670. Then, the recording medium I/F690 goes tostep S1202 where it will read, from the recording medium 200, generationinformation (recording generation information) of the master key MKhaving been used to encrypt a content (data) to be played back, andsupply the information to the CPU 670.

In step S1203, the CPU 670 makes a comparison between the generationnumber n indicated by the prerecording generation information Generation#n from the recording medium I/F 690 and generation number m indicatedby the recording generation information to judge which one of thegenerations is younger or older than the other.

If the generation number m indicated by the recording generationinformation is judged in step S1203 not to be larger than the generationnumber n indicated by the prerecording generation information Generation#n, namely, if the generation number m indicated by the recordinggeneration information is smaller than the generation number n indicatedby the prerecording generation information Generation #n, therecorder/player will skip over steps S1204 to S1206, and exit thecontent playback procedure.

Therefore, in case a content recorded in the recording medium 200 hasbeen encrypted with a master key MK of a generation older than thegeneration n indicated by the prerecording generation informationGeneration #n, it will not be played back (playback is not permitted).

Namely, since the above case means that the content is data having beenencrypted with a master key of an old generation and recorded to therecording medium 200 by an inappropriate recorder of whichinappropriateness has been discovered and which has not any master keyof the latest generation given thereto, the recording medium 200 havingdata recorded thereto by such an inappropriate device will not beplayed, whereby it is possible to revoke any inappropriate device.

On the other hand, if the result of the judgment made in step S1203 isthat the generation number m indicated by the recording generationinformation is larger than the generation number n indicated by theprerecording generation information Generation #n, namely, if thegeneration number m indicated by the recording generation information isas large as or larger than the generation number n indicated by theprerecording generation information Generation #n and thus the contentrecorded in the recording medium 200 has been encrypted with a masterkey MK having a generation number larger than the generation number nindicated by the prerecording generation information Generation #n, therecorder/player goes to step S1204 where the CPU 670 will recognize thegeneration of an encrypted master key C stored in the encrypted dataholder 102 of the cryptography unit 650 (in FIG. 7) and make acomparison between the generation number of the encrypted master key Cand generation number m indicated by the recording generationinformation to judge which one of the generations is younger or olderthan the other.

If the generation number of the encrypted master key C stored in theencrypted data holder 102 is judged in step S 1204 not to be larger thanthe generation number m indicated by the recording generationinformation, that is, if the generation number of the encrypted masterkey C stored in the encrypted data holder 102 is smaller than thegeneration number m indicated by the recording generation information,the recorder/player will got to step S1207.

On the other hand, if the result of the judgment made in step S1204 isthat generation number of the encrypted master key C stored in theencrypted data holder 102 is larger than the generation number mindicated by the recording generation information, that is, if thegeneration number of the encrypted master key C stored in the encrypteddata holder 102 is as large as or larger than the generation number mindicated by the recording generation information, the recorder/playergoes to step S1205 where the master key decryption unit 103 of thecryptography unit 650 (in FIG. 7) will decrypt the encrypted master keyC stored in the encrypted data holder 102 with a device key DK stored inthe device key holder 101 to a master key MK. Further, if the generationnumber of the master key MK thus decrypted is larger than the generationnumber m indicated by the recording generation information, the masterkey decryption unit 103 will create, from the master key MK thusdecrypted, a master key MK having the generation number m indicated bythe recording generation information from the maser key MK, and supplyit to the decoder 702.

Then, the recorder/player goes to step S1206 where the recording mediumI/F 690 will read an encrypted content from the recording medium 200,and supply the data to the cryptography unit 650 via the bus 610.Further in step S1206, the decoder 702 of the cryptography unit 650decrypts the encrypted content read from the recording medium 200 withthe master key MK having been acquired in step S1205, and exits thecontent playback procedure.

The content decrypted as in the above is outputted to outside via thebus 610 and digital I/F 620. Alternatively, the content is subjected toMPEG decoding in the MPEG codec 630 and then to D/A conversion in theconverter 635 to analog signals. The analog signals are outputted tooutside vide the analog I/F 640.

On the other hand, in step S1207, data playback from the recordingmedium 200 is not permitted because the generation number of theencrypted master key C stored in the encrypted data holder 102 issmaller than the generation number m indicated by the recordinggeneration information. That is, if the generation number of theencrypted master key C is smaller than the generation number m indicatedby the recording generation information, a master key MK having ageneration number m larger than the generation number of the master keyMK acquired from the encrypted master key C cannot be created from thelatter master key MK, so that no data playback will be done (cannot bedone) from the recording medium 200.

Thus, in step S1207, the data playback procedure is ended withdisplaying a message for prompting to renew the master key to a masterkey of a younger generation, or giving a warning sound or indication, tothe user via the user I/F 660.

Thus, the user will follow the message to carry his device to a servicestation of the device manufacturer in order to have the master keyrenewed or follow a method included in the following description of theembodiment to renew the master key. Thus, it will be possible to playback data from the recording medium 200.

Since no playback can be done in case the generation indicated by therecording generation information is not younger that indicated by theprerecording generation information, it is possible to compel the userto renew the master key, whereby it is made possible to indirectlyprevent a recording medium having data recorded illegally by anyinappropriate device from being distributed.

Also, if a device cannot record or play back data to or from a recordingmedium because it has no master key of the latest generation storedtherein, a message for prompting to renew the master key may bedisplayed to the user, thereby further promoting the procedure forrenewing the master key in the entire system.

[3. Other Embodiments]

(3.1 System Configuration for Renewal of Master Key by IC Card)

Another embodiment of the recorder/player according to the presentinvention will be described concerning an example construction thereofwith reference to FIG. 13.

In FIG. 13, the recorder/player is generally indicated with a reference1300. Most of the components of the recorder/player 1300 shown in FIG.13 are similar to those shown in FIG. 6, and will not further bedescribed. As shown in FIG. 13, an IC (integrated circuit) card I/F 1302is connected to the bus 610. The IC card I/F 1301 is an interfaceintended to transfer data to and from an IC card 1302 which is removablysettable in the recorder/player 1300.

The procedure for renewing a master key when the recording medium 200 isset in the recorder/player 1300 is similar to that having been describedand illustrated in FIG. 9.

Next, operations of the recorder/player 1300 in recording data to therecording medium 200 will be described with reference to the flow chartin FIG. 14.

Operations in steps S1401 to S1405 shown in FIG. 14 are similar to thosein steps S1001 to S1005 in FIG. 10, and so will not be described anylonger. In step S1405, however, a message for prompting to renew themaster key is displayed to the user and the recorder/player will go tostep S1406. That is, a message for prompting to renew the master key toa one of a younger generation is displayed to the user via the user I/F660 or a warning sound or indication is given to the user, and therecorder/player 1300 will got to step S1406.

In step S1406, the IC card 1302 is set by the user and then the masterkey is renewed using the IC card 1302. That is, the IC card 1302 hasrecorded therein a similar key table to that recorded in the recordingmedium 200, having previously been described with reference to FIG. 8,and the recorder/player 1300 can effect the aforementioned method toprocess the key table, thereby to acquire an encrypted master key of thelatest generation.

In the above embodiment, the IC card 1302 has recorded therein thesimilar key table to that recorded in the recording medium 200, havingpreviously been described with reference to FIG. 8. However, the IC card1302 may be used as in the following.

Namely, the memory 680 of the recorder/player 1300 has stored thereinidentification information (device ID) for identification of eachrecorder/player and device key corresponding to each device ID, and theIC card 1302 has stored therein an encrypted master key derived fromencryption of a master key of the latest generation with a device keycorresponding device ID. By handling the encrypted master key similarlyto the key table stored in the recording medium 200, the recorder/player1300 can acquire an encrypted master key of the latest generation.

Since the IC card having data for each user stored therein can easily bemailed to the user by the key issuing institute, use of the IC card asin the above is advantageous in that the key can be elaborately managedand thus the recording capacity of the recording medium will not bewasted by storage of the key table.

Next in step S1407, it is checked whether an encrypted master key of anecessary generation has been acquired via the IC card 1302 in stepS1406.

If an encrypted master key of the necessary generation has been acquiredin step S1406, the recorder/player 1300 goes to step S1403 where it willfinally record data to the recording medium 200.

If the encrypted master key of the necessary generation has not beenacquired in step S1406, the recorder/player 1300 will exit the datarecording procedure without recording data to the recording medium 200.Note that at this time, a message informing that the encrypted masterkey of the necessary generation has not been acquired may be displayedto the user.

Next, operations of the recorder/player 1300 in playback of datarecorded in the recording medium 200 will be described with reference tothe flow chart in FIG. 15.

Operations in steps S1501 to S1507 shown in FIG. 15 are similar to thosein steps S1201 to S1207 in FIG. 12, and so will not be described anylonger. In step S1507, however, a message for prompting to renew themaster key is displayed to the user and the recorder/player 1300 will goto step S1508. That is, a message for prompting to renew the master keyto a one of a younger generation is displayed to the user via the userI/F 660 or a warning sound or indication is given to the user, and therecorder/player will got to step S1508.

In step S1508, an encrypted master key of a necessary generation isacquired from the IC card 1302 as in step S1406 in FIG. 14. Then therecorder/player 1300 will go to step S1509.

In step S1509, it is checked whether an encrypted master key of anecessary generation has been acquired in step S1508.

If the encrypted master key of the necessary generation has beenacquired in step S1508, the recorder/player 1300 goes to step S1505where it will finally play back data from the recording medium 200.

If the encrypted master key of the necessary generation has not beenacquired in step S1508, the recorder/player 1300 exits the data playbackprocedure without playing back data from the recording medium 200. Notethat at this time, a message informing that the encrypted master key ofthe necessary generation has not been acquired may be displayed to theuser.

(3.2 System Configuration for Renewal of Master Key via Modem)

Next, another embodiment of the recorder/player according to the presentinvention will be described concerning an example construction thereofwith reference to FIG. 16.

In FIG. 16, the recorder/player is generally indicated with a reference1600. As shown in FIG. 16, most of the components of the recorder/player1600 are similar to those shown in FIG. 6 and will not be described anylonger. However, the memory 680 has stored therein identificationinformation unique to a recorder/player (device ID), an encryption keyof a common key cryptography system or a private key of a public keycryptography system, unique to each device, a public key certificate,etc.

As shown in FIG. 16, the bus 610 has connected thereto a modem 1610which is connected to a telephone line.

Next, operations of the recorder/player 1600 constructed as shown inFIG. 16 in data recording to the recording medium 200 will be describedwith reference to FIG. 17.

Operations in steps S1701 to S1704 in FIG. 17 are similar to those insteps S1001 to S1004 in FIG. 10, and will not be described any longer.

If the generation number of an encrypted master key stored in therecorder/player 1600 itself is judged in step S1702 to be smaller thanthat indicated by the prerecording generation information, therecorder/player 1600 goes to step S1705 where the modem 1601 of therecorder/player 1600 will form a link with the key issuing institute viathe telephone line to receive and acquire an encrypted master key sentfrom the key issuing institute.

Note that at this time, a mutual authentication protocol may be effectedfor the recorder/player 1600 and key issuing institute to mutuallyconfirm the appropriateness of their counterpart. For example, thewell-known mutual authentication protocols includes a one using a commonkey cryptography as in ISO/IEC 9798-2, a one using a public keycryptography as in ISO/IEC 9798-3, a one using a cryptographic checkfunction as in ISO/IEC 9798-4, etc.

FIG. 18 shows the application of one of protocols using thecryptographic check function for mutual authentication and encryptionkey sharing to the embodiment.

In FIG. 18, a recorder/player (B: Device) has stored therein ID_B beinga unique device ID and a private key DK_B. A key issuing institute (A)has stored therein a device ID for each device and a private key tablecorresponding to each device ID.

First, the recorder/player creates a random number R_B and sends italong with ID_B to the key issuing institute. Note that the symbol “∥”in FIG. 18 indicates a concatenation.

Next, the key issuing institute creates random numbers R_A,S_A and ID_A,and sends MAC(DK_B, R_A∥R_B∥S_A) along with them to the recorder/player.The ID_A is identification information indicating the key issuinginstitute, and MAC(DK_B, R_A∥R_B∥S_A) indicates input of DK_B as a keyto the cryptographic check function and R_A∥R_B∥S_A as data. Thecryptographic check function can be formed by applying the DataEncryption Standard (DES) defined in FIPS 46-2 as shown in ISO/IEC 9797.Also, DK_B used as in the above is retrieved from the stored private keytable using ID_B as a retrieval key.

The recorder/player uses received data to calculate MAC(DK_B,R_A∥R_B∥S_A) by itself and check if the calculation result coincideswith the received MAC(DK_B, R_A∥R_B∥S_A). If there is found acoincidence between the calculated MAC(DK_B, R_A∥R_B∥S_A) and receivedone, the recorder/player will judge that the key issuing institute isappropriate, and operate continuously. If not, the recorder/player willjudge that the key issuing institute is inappropriate, and cease themaster key renewing procedure.

Next, the recorder/player creates the random number S_B and sends italong with MAC(DK_B, R_A∥R_B∥S_A) to the key issuing institute.

The key issuing institute will also use the received data to calculateMAC(DK_B, R_A∥R_B∥S_A) by itself and confirm whether the calculationresult coincides with the received MAC(DK_B, R_A∥R_B∥S_A). If thecalculated MAC(DK_B, R_A∥R_B∥S_A) coincides with the received one, thekey issuing institute will judge that the recorder/player is appropriateand operate continuously. If not, the key issuing institute will judgethat the recorder/player is inappropriate and cease the master keyrenewing procedure.

Next, the recorder/player creates the random number S_B, and sends italong with MAC(DK_B, R_B∥R_A∥S_B) to the key issuing institute.

Also the key issuing institute uses the received data to calculateMAC(DK_B, R_B∥R_A∥S_B) by itself and confirm whether the calculationresult coincides with the received MAC(DK_B, R_B∥R_A∥S_B). If there isfound a coincidence between the calculated MAC(DK_B, R_B∥R_A∥S_B) andreceived one, the key issuing institute will judge that therecorder/player is appropriate. If not, the key issuing institute willjudge that the recorder/player is inappropriate, and cease the masterkey renewing procedure.

Finally, both the recorder/player and key issuing institute calculateMAC(DK_B, S_A∥S_B) and uses it as a session key in that session.

Since the key issuing institute and recorder/player can mutually confirmthe appropriateness of their counterpart and also share the session keysafety as in the above, the key issuing institute for example canencrypt a master key of the latest generation by DES or the like usingthe session key as a key, and send the encrypted master key safely tothe recorder/player.

FIG. 19 shows an application of an authentication technique using thepublic key cryptography to this embodiment.

In FIG. 19, the each of key issuing institute A and recorder/player Bowns an ID for identification of itself, public key certificate andrevocation list or registration list. The public key certification isdata certified with a signature by the center (key issuing institute)for the entity ID and public key as shown in FIG. 20.

The revocation list is also called “authorized devices list” or “blacklist”. As shown in FIG. 21, it lists up IDs of devices whose privatekeys have been uncovered and carries a version number which willmonotonously be larger and a digital signature made by the center (keyissuing institute).

The registration list is also called “unauthorized devices list” or“registered devices list”. As shown in FIG. 22, it lists up IDs ofconcurrently reliable devices (whose private keys have not beenuncovered) and carries a version number which will monotonously belarger and a digital signature made by the center (key issuinginstitute).

As shown in FIG. 19, the recorder/player creates the random number R_Band sends it to the key issuing institute.

The key issuing institute creates random numbers K_A and R_A, calculatesV_A by multiplying a system-common point (base point) G on an ellipticcurve E by K_A, and sends a public key certificate (Cert_A, R_A, R_B,V_A) along with a signature made to data R_A∥R_B∥V_A with its ownprivate key (Prikey_A) to the recorder/player.

The recorder/player checks the validity of the public key certificatefrom the key issuing institute and of the signature made by the keyissuing institute. When it has a revocation list stored therein, itconfirms that the counterpart's ID is not listed in the revocation list.In case it has a registration list stored therein, it confirms that thecounterpart's ID is listed in the registration list. If therecorder/player has not succeeded in the confirmation, it will judgethat the key issuing institute is inappropriate and exit the master keyrenewing procedure. When the recorder/player has succeeded in theconfirmation, it will create the random number K_B, make a similarcalculation to that having been made by the key issuing institute andsend a signature made to data R_B∥R_A∥V_B along with the public keycertificate (Cert_B, R_B, R_A, V_B) to the key issuing institute.

The key issuing institute will make similar inspections to those havingbeen made by the recorder/player to the received data and continue themaster key renewing procedure only when all the inspections havesuccessfully been made.

Thereafter, the key issuing institute multiplies K_A and V_B, while therecorder/player multiplies K_B and V_A, on the elliptic curve E,respectively, to acquire a session key K_S of which the use is as havingbeen described with respect to FIG. 18.

Note that the multiplication on the elliptic curve, creation of thedigital signature, and inspection method are under definition by theIEEE P1363, and they are detailed in the available preliminary standard.

In step S1706 in FIG. 17, it is judged whether the recorder/player hassuccessfully acquired a master key of a necessary generation. If themaster key has been acquired, the recorder/player goes to step S1703where it will eventually record data to the recording medium.

If the recorder has not successfully acquired the encrypted master keyof the necessary generation, it will exit the master key renewingprocedure without recording data to the recording medium. Note that atthis time, there may be displayed to the user a message informing thatthe encrypted master key of the necessary generation has notsuccessfully been acquired.

In the above embodiment, the modem 1601 and telephone line are used toacquire a master key from the key issuing institute in step S1705. Notehowever that a master key can be acquired from any other recorder/playerand a link may be formed using the digital I/F 620, not the modem 1601.In case the recorder/player acquires a master key from anotherrecorder/player, not from the key issuing institute, the authenticationusing the public key as shown in FIG. 19 should preferably be adopted.

Next, operations of the recorder/player 1600 in FIG. 16 in playback ofdata recorded in the recording medium 200 will be described with respectto the flow chart shown in FIG. 23.

Operations in steps S2301 to S2306 in FIG. 23 are similar to those insteps S1201 to S1206 in FIG. 12, and so will not be described anylonger. In step S2304, however, if the generation of an encrypted masterkey stored in the player is older that indicated by the recordinggeneration information, the recorder/player 1600 will go to step S2307.

In step S2307, the similar method to that in step S1705 in FIG. 17 isused to try to acquire an encrypted master key of the latest generation.That is, the recorder/player 1600 uses the modem 1601 to form a link tothe key issuing institute via a telephone line, and thus receives andacquires the encrypted master key of the latest generation sent from thekey issuing institute. Note that at this time, the recorder/player andkey issuing institute should preferably execute the aforementionedmutual authentication protocol.

Next in step S2308, if the encrypted master key of the necessarygeneration has successfully been acquired in step S2307, therecorder/player goes to step S2305 where it will eventually read datafrom the recording medium 200. On the other hand, if the encryptedmaster key of the necessary generation has not successfully beenacquired, the recorder/player will exit the master key renewingprocedure without reading data from the recording medium 200. Note thatat this time, there may be displayed to the user a message informingthat the master key of the necessary generation has no successfully beenacquired.

Note that also in the procedure for renewing the master key with the ICcard, having been described with reference to FIGS. 13 to 15, mutualauthentication may be effected between the recorder/player 1300 and ICcard 1302 to acquire a renewed master key only when the authenticationhas successfully been made. Also, for acquisition of a master key, therecorder/player 600 constructed as shown in FIG. 6 should preferably beconstructed to effect the above-mentioned authentication by networkcommunications via the digital I/F 620 for example to acquire a renewedmaster key only when the authentication has successfully be made.

(3.3 System Configuration for Renewal of Master Key Via Key RenewingTerminal)

Next, there will be described another embodiment of the presentinvention will be described concerning a system configuration in which akey renewing terminal, constructed as a separate unit independent of theinformation recorder or player is used. More specifically, when amessage for prompting to acquire a master key of the latest generationis displayed in step S1005 in FIG. 10, a special tool, namely, a keyrenewing terminal, is used to renew the master key. The key renewingterminal is held by a service man dispatched from a service center forexample. This embodiment uses such a key renewing terminal.

As having previously been described, in the key renewing system using arecording medium, a plurality of, for example, thousands of, devicesbelongs to one category. Therefore, even if only one of the manyrecorder/players included in one category has the device key thereof,which has to be stored safely therein, uncovered or known to outside,all the devices include in the category have to be removed from thesystem. The key renewing system of this embodiment is such that thedevices revoked once and which should not be revoked are recovered intothe system, namely, the key renewing terminal is used to renew themaster key, thereby re-enabling the normal recording and playback. Aplurality of modes of master key renewal with the key renewing terminalwill be described herebelow.

3.3.1 Master Key Renewal Via Key Renewing Terminal—Example 1)

First, the system for renewing a master key via the key renewingterminal in the information recorder or player constructed as in FIG. 6will be described. It should be reminded that in this embodiment,however, the information recorder or player has safely stored therein acategory number to which the device belongs, a device key correspondingto the category number, and in addition, a device ID and a device-uniquekey corresponding to the device ID. The device-unique key is stored inthe cryptography unit having previously been described with reference toFIG. 1 for example.

In this embodiment, to renew the master key of the information recorderor player, an information processor for renewal of a key (will bereferred to as “key renewing terminal” herein). FIG. 24 is a blockdiagram showing an example construction of the key renewing terminal.

As shown in FIG. 24, the key renewing terminal is generally indicatedwith a reference 2400. The key renewing terminal 2400 includes acontroller 2401, modem 2402 and a digital interface (I/F) 2403. Forexample, when in key renewal using the aforementioned ordinary recordingmedium, a category to which the device in consideration belongs isrevoked, identification of the category results in that no key renewalis to be done for the device and thus the device cannot acquire a masterkey of any new generation, each recorder/player provides a communicationpath for acquisition of a master key directly from the key issuinginstitute.

FIG. 25 shows the construction of the information recorder or player inwhich the key renewing terminal shown in FIG. 24 is used to establish acommunication path for acquisition of a master key from the key issuinginstitute. The recorder/player is generally indicated with a reference2500. It includes a digital I/F 2501. The digital I/F 2501 is normallyused to transmit content data such as music, movie or the like. Foracquisition of a master key from the key issuing institute, however, thedigital I/F 2501 and the digital I/F 2403 of the key renewing terminal2400 are connected to each other to establish a communication path fromthe modem 2402 of the key renewing terminal 2400 to the key issuinginstitute via a telephone line. The controller 2401 controls thecommunications, conversion of format of data to be transmitted,selection of data to be transmitted, etc.

After the recorder/player 2500 has established a communication path tothe key issuing institute via the key renewing terminal 2400, the keyissuing institute and recorder/player use a mutual authentication andkey sharing protocol based on the common key cryptography (will be shownin FIG. 26) or a mutual authentication and key sharing protocol based onthe public key cryptography (will be shown in FIG. 27) to mutuallyconfirm their appropriateness, and then the key issuing institute givesa master key of the latest generation to the recorder/player.

FIGS. 26 and 27 show a mutual authentication and key sharing protocolbased on the common key cryptography, similar to that shown in FIG. 18and a mutual authentication and key sharing protocol based on the publickey cryptography, similar to that shown in FIG. 19. Thus, the details ofthese protocols are referred to FIGS. 18 and 19. In the mutualauthentication and key sharing protocol based on the common keycryptography, shown in FIG. 26, however, a device-unique key (DUK) beinga key unique to each of the recorder/players is used as a private keyinstead of the device key (DK) which is the private key used in thesequence in FIG. 18. Therefore, the key issuing institute has a tableincluding a device ID of each recorder/player and a device-unique keycorresponding to the device ID.

The mutual authentication and key sharing protocol shown in FIG. 26 or27 is executed between the recorder/player 2500 and key issuinginstitute via the key renewing terminal 2400 shown in FIG. 25. A renewedmaster key acquired through the above operations can be transmittedsafely by encrypting the renewed master key with a session key K_Shaving been shared based on the protocol.

Note that in the above, a master key is transmitted from the key issuinginstitute to the recorder/player after completion of the authenticationbut the key issuing institute may receive only a device ID from arecorder/player which has made a request for key renewal with omissionof the mutual authentication, take out a device-unique key (DUK) for therecorder/player in consideration from its table including device IDs anddevice-unique keys, encrypt a master key with the device-unique key(DUK) and transmit the encrypted master key to the recorder/player. Therecorder/player having received the encrypted master key will decrypt itwith its own device key (DUK) to acquire a renewed master key. In thiscase, the counterpart with which the recorder/player communicates may bea server or the like having stored therein a master key table shown inFIG. 28, not the key issuing institute which should be reliable. Thetable shown in FIG. 28 is a one created in correlation with individualrecorder/players included in one category and in which there are storeda device-unique identification number for each recorder/player and amaster key (MK_n) having the generation number n, encrypted with acorresponding device-unique key for the recorder/player, in correlationwith each other. The recorder/player whose master key is to be renewedaccesses a server having the table shown in FIG. 28 stored therein viathe key renewing terminal to acquire the n-th generation master key(MK_n) encrypted with its own device-unique key (DUK).

3.3.2 Master Key Renewal Via Key Renewing Terminal—Example 2)

Next, a second example of the master key renewal via the key renewingterminal will be described. In this example, the communication interface(I/F) of the recorder/player is connected to the key renewing terminalto acquire a renewed master key.

As shown in FIG. 29, the recorder/player is generally indicated with areference 2900. As seen, the recorder/player 2900 is connected to acommunication I/F 2951 of a key renewing terminal 2950 via acommunication I/F 2901 and also connected to the key issuing institutevia a modem 2952 under the control of a controller 2951. Therecorder/player 2900 executes the aforementioned mutual authenticationand key sharing protocol to acquire a renewed master key. Thecommunication I/F 2901 of the recorder/player 2900 may be of a radiocommunication type such as an infrared communication or Bluetooth type.

3.3.3 Master Key Renewal Via Key Renewing Terminal—Example 3)

In the above two examples, the communication path to the key issuinginstitute is established via the key renewing terminal and a renewedmaster key is acquired by the communication with the key issuinginstitute. In this third example, the key renewing terminal does notprovide any communication path between the recorder/player and keyissuing institute but it works as a key issuing institute or as theabove-mentioned server. That is to say, the key renewing terminalincludes a storage unit in which a master key table as shown in FIG. 28for example is stored.

FIGS. 30 and 31 explain third and fourth examples, respectively, of theacquisition of renewed master key. The recorder/player in the thirdexample is generally indicated with a reference 3000. As shown in FIG.30, the recorder/player 3000 includes a digital I/F 3001 which isnormally used to transmit content data such as music, movie, etc. Foracquisition of a aster key from a key renewing terminal 2050, however,the digital I/F 3001 is connected to a digital I/F 3053 of the keyrenewing terminal 3050 to acquire an encrypted master key correspondingto a device ID of the recorder/player 3000 from an encrypted master keytable shown in FIG. 28 for example and stored in a recording medium 5052of the key renewing terminal 3050. The key renewing terminal 3050includes also a controller 3051 which controls the communicationsbetween the recorder/player 3000 and key renewing terminal 3050.

In the fourth example shown in FIG. 31, a recorder/player 3100 isconnected to a communication I/F 3151 of a key renewing terminal 3150via a communication I/F 3101 of the recorder/player 3100 itself. Therecorder/player 3100 acquires, from an encrypted master key table shownin FIG. 28 for example and stored in a recording medium 3153 of the keyrenewing terminal as in the aforementioned example, an encrypted masterkey corresponding to its own device ID under the control of a controller3151 also included in the key renewing terminal 3150. The communicationI/F 3101 of the recorder/player 3100 may be of a radio communicationtype such as an infrared communication or Bluetooth type.

Also in this example, the key renewing terminal and recorder/player mayexecute the mutual authentication and key exchange protocol to confirmtheir appropriateness. Then the key renewing terminal may use theencryption key shared in the protocol to send the master key safely tothe recorder/player. For these operations, there can be applied theauthentication and key exchange protocol based on the common keycryptography as shown in FIG. 26 and authentication and key exchangeprotocol based on the public key cryptography as shown in FIG. 27,having previously been described.

In case the authentication and key exchange protocol based on the commonkey cryptography, shown in FIG. 26, is used, a device-unique key tableis given to the key renewing terminal and the device ID of arecorder/player known to have the device-unique key (DUK) thereofuncovered is marked with an indication of the DUK uncovering, therebygranting no master key to the recorder/player.

Also, in case the authentication and key exchange protocol based on thepublic key cryptography, shown in FIG. 27, is used, the key renewingterminal does not require the device-unique key (DUK), but in order topass no master key to a recorder/player known to have the device-uniquekey (DUK) thereof uncovered, a revocation list of device IDs is storedin the key renewing terminal to pass a master key only to a device forwhich there is not found in the list any crisis ID corresponding to adevice ID of a recorder/player having made a request for key renewal.

By the above-mentioned key renewal via the key renewing terminal, it ismade possible to acquire a renewed master key via the key renewingterminal provided separately from the recorder/player. For example adevice having to renew its master key because the device of any otherdevice belonging to the same category has been uncovered, can establisha communication path to the key issuing institute via the key renewingterminal to acquire a master key or can acquire a master key directlyfrom the key renewing terminal, so that a different procedure forrenewal of the master key can be taken for each of the terminalsbelonging to the same category. Also, the key renewing terminal may beadapted for use as connected to a recorder/player only when it isnecessary to renew the master key. Since the key renewing terminal cansend and receive information to and from the recorder/player via aninterface which is normally provided, this arrangement is alsoadvantageous in that no modem or the like has to be provided in therecorder/player, namely, it will not lead to any increase of costs ofthe system.

[4. Tree-Structured Key Distribution System]

The recorder/player shown in FIG. 6 distributes, via a tree-structuredkey distribution system, to each of the other recorder/players includedin the system, a master key necessary for recording data to therecording medium or for playback of data from the recording medium aswill be described herebelow. FIG. 32 shows the key distribution in therecorder/player in a tree-structured recording system. The numbers 0 to15 shown at the bottom in FIG. 32 indicate individual recorder/players.That is, in FIG. 32, each of the leaves of the tree structurecorresponds to each of the recorder/players (will be referred to as“device” hereunder wherever appropriate).

During production (or at shipment), there is stored in each of thedevices 0 to 15 a node key assigned to a node from its own leaf to aroute and a leaf key for each leaf in a predetermined initial tree.“K0000” to “K1111” in the next lowest portion in FIG. 32 are leaf keysassigned to the devices 0 to 15, respectively, and “KR” at the highestnode to “K1111” at the bottom nodes are node keys.

In the tree structure shown in FIG. 32, for example, the device 0 owns aleaf key K0000 and node keys K000, K00, K0 and KR. The device 5 owns aleaf key K0101 and node keys K010, K01, K0 and KR. The device 15 owns aleaf key K1111 and node keys K111, K11, K1 and KR. Note that the treeshown in FIG. 32 includes only 16 devices 0 to 15 laid in 4 stages andwell-balanced in horizontal symmetry but it may include more deviceslaid therein and be varied in number of stages from one part to anotherthereof.

The recorder/players (device) included in the tree structure shown inFIG. 32 include various types of recorder/players using a variety ofrecording media, such as DVD, CD, MD, memory stick (trademark), etc.Further, various application services are coexistent with each other inthe tree structure. The key distribution system shown in FIG. 32 isapplied while such different devices and applications are coexistentwith each other.

In the system in which such devices and applications are coexistent, aportion of the tree, shown as encircled with a dotted line in FIG. 32and including the devices 0, 1, 2 and 3, is set as a group in which thedevices use the same recording medium. For example, each of the devicesincluded in the encircled group will receive an encrypted common contentsent from a content provider or a common master key or will output anencrypted content-fee payment data to the provider or a settlementinstitution. The content provider, settlement institution or aninstitution for data communications with each of the devicescollectively sends data to the encircled portion in FIG. 32, that is,the devices 0, 1, 2 and 3 as one group. More than one such group existin the tree shown in FIG. 32.

Note that the node key and leaf key may collectively be managed by acertain key management center or by each of groups including theprovider, settlement institution, etc. which make a variety of datacommunications with each group. If these node and leaf keys have beenuncovered for example, they are renewed by the key management center,provider, settlement institution, etc.

In the tree structure shown in FIG. 32, the four devices 0, 1, 2 and 3included in one group own common keys K00, K0 and KR as node keys. Owingto this common use of the node keys, for example a common master key canbe served to only the devices 0, 1, 2 and 3. For example, by setting thenode key K00 itself owned in common as a master key, it is possible onlyfor the devices 0, 1, 2 and 3 to set a common master key withoutreceiving any new key. Also, by distributing, to the devices 0, 1, 2 and3 via a network or as stored in a recording medium, a value Enc (K00,Kmaster) obtained by encrypting a new master key Kmaster with the nodekey K00, only the devices 0, 1, 2 and 3 can analyze the value Enc (K00,Kmaster) with the common node key K00 owned by each of the devices toacquire the master key Kmaster. Note that Enc (Ka, Kb) is a data derivedfrom encryption of Kb with Ka.

If at a time t, it has been revealed that the keys K0011, K001, K00, K0and KR owned by the device 3 for example were cryptanalyzed anduncovered by any attackers (hacker), it becomes necessary to disconnectthe device 3 from the system in order to protect data transferred to andfrom a system (group including the devices 0, 1, 2 and 3) after that. Tothis end, it the node keys K001, K00, K0 and KR have to be changed tonew keys K(t)001, K(t)00, K(t)0, K(t)R respectively and the new keyshave to be passed to the devices 0, 1 and 2. Note that K(t)aaa is arenewed one of a key Kaaa in a generation t.

The distribution of renewed key will be described herebelow. A key willbe renewed by supplying a table composed of block data called keyrenewal block (KRB) as shown in FIG. 33A to each of the devices 0, 1 and2 via a network or as stored in a recording medium.

As shown in FIG. 33A, the renewal key block (KRB) is formed as a blockdata having a data structure which only a device needing renewal of anode key can renew. The example shown in FIG. 33A is a block data formedin order to distribute a renewed node key of the generation t to thedevices 0, 1 and 2 included in the tree structure shown in FIG. 32. Asapparent from FIG. 32, the devices 0 and 1 need renewed node keysK(t)00, K(t)0 and K(t)R while the device 2 needs renewed node keysK(t)001, K(t)00, K(t)0 and K(t)R.

As seen from FIG. 33A, the KRB includes a plurality of encryption keys.The bottom encryption key is Enc(K0010, K(t)001). This is a renewed nodekey K(t)001 encrypted with a leaf key K0010 of the device 2. The device2 can decrypt this encryption key with its own leaf key to acquireK(t)001. Also, the device 2 can decrypt an encryption key Enc(K(t)001,K(t)00) on the next bottom stage with K(t)001 it has acquired by thedecryption, thereby to acquire a renewed node key K(t)00. After that,the device 2 decrypts an encryption key Enc(K(t)00, K(t)0) on the nexttop stage in FIG. 33A to acquire a renewed node key K(t)0, and decryptsencryption key Enc(K(t)0, K(t)R) on the top stage in FIG. 33A to acquirea renewed encryption K(t)R. On the other hand, for the devices 0 and 1,a node key K000 is not to be renewed but node keys to be renewed areK(t)00, K(t)0 and K(t)R. The devices 0 and 1 decrypt an encryption keyEnc(K000, K(t)00) on a third top stage in FIG. 33A to acquire a renewednode key K(t)00. Subsequently, the devices 0 and 1 decrypt an encryptionkey Enc(K(t)00, K(t)0) on the second top stage in FIG. 33A to acquire arenewed node key K(t)0, and decrypts an encryption key Enc(K(t)0, K(t)R)on the top stage in FIG. 33A to acquire a renewed node key K(t)R. Inthis way, the devices 0, 1 and 2 can acquire the renewed node keysK(t)00, K(t)0 and K(t)R. Note that “Index” in FIG. 33A shows an absoluteaddress of a node key or leaf key used as a decryption key.

The node keys K0 and KR on the top stage of the tree structure shown inFIG. 32 have not to be renewed. In case only the node key K00 has to berenewed, use of the key renewal block (KRB) in FIG. 33B enables todistribute the renewed node key K(t)00 to the devices 0, 1 and 2.

KRB shown in FIG. 33B is usable for distribution of a new master key forcommon use in a specific group for example. More particularly, thedevices 0, 1, 2 and 3 in the group shown in a dotted-line circle in FIG.32 uses a certain recording medium and need a new common master keyK(t)master. At this time, a node key K(t)00 derived from renewal of thenode key K00 common to the devices 0, 1, 2 and 3 is used to distributedata Enc(K(t), K(t)master) derived from encryption of the new commonmaster key K(t)master along with KRB shown in FIG. 33B. With thisdistribution, data which cannot be decrypted in the devices included inanother group, for example, device 4, can be distributed.

That is, the devices 0, 1 and 2 can acquire the master key K(t)master ata time t by decrypting the encrypted data with K(t)00 acquired byprocessing KRB.

[Master Key Distribution Using KRB]

FIG. 34 shows the procedure for acquisition of a master key K(t)masterat the time t by the device 0 having acquired a data Enc(K(t)00,K(t)master) derived from encryption of a new common master keyK(t)master with K(T)00, and KRB shown in FIG. 33B.

As shown in FIG. 34, the device 0 creates a node key K(t)00 by a similarprocessing of KRB to the above from KRB at a time t (generation in whichKRB is stored) and node K000 prestored in itself. Further, the device 0decrypts the renewed master key K(t)master with the decrypted renewednode key K(t)00, encrypts it with its own leaf key K0000 for later use,and stores it. Note that in case the device 0 can safely store therenewed master key K(t)master therein, it is not necessary to encrypt itwith the leaf key K0000.

Also, the acquisition of the renewed master key will be described withreference to the flow chart shown in FIG. 35. It is assumed here thatthe recorder/player is granted the latest master key K(c)master at thetime of shipment and has it safely stored in its own memory (moreprecisely, as encrypted with its own leaf key).

When the recoding medium having the renewed master key K(n)master andKRB stored therein is set in the recorder/player, the latter will read,first in step S3501, the generation number n of the master keyK(n)master (will be referred to as “prerecording generation informationGeneration #n” hereunder) from the recording medium. The recordingmedium has a generation number n of a master key K(n)master prestoredthere. Then, the recorder/player reads the encrypted master key C fromits own memory. In step S3502, it makes a comparison between thegeneration number c of its own encrypted master key and a generationnumber n indicated by the prerecording generation information Generation#n to judge which is larger or smaller, the generation numbers c or n.

If the recorder/player has judged in step S3502 that the generationnumber n indicated by the prerecording generation information Generation#n is not larger than the generation c of the encrypted master key Cstored in its own the memory, that is, if the generation number c of theencrypted master key C stored in the memory is as large as or largerthan the generation number n indicated by the prerecording generationinformation Generation #n, the recorder/player will skip over stepsS3503 to 3508 and exit the master key renewing procedure. In this case,since it is not necessary to renew the master key K(c)master (encryptedmaster key C) stored in the memory of the recorder/player, so therenewal will not be done.

On the other hand, if the recorder/player has judged in step S3502 thatthe generation number n indicated by the prerecording generationinformation Generation #n is larger than the generation number c of theencrypted master key C stored in the memory, that is, if the generationnumber c of the encrypted master key C stored in the memory is smallerthan the generation number n indicated by the prerecording generationinformation Generation #n, the recorder/player will go to step S3503where it will read a key renewal block (KRB) from the recording medium.

In step S3504, the recorder/player calculates a key K(t)00 for the node00 at a time (time t in FIG. 34) indicated by the prerecordinggeneration information Generation #n from KRB having been read in stepS3503, leaf key (K0000 for the device 0 in FIG. 32) and node keys (K000and K00, . . . for the device 0 in FIG. 32), stored in the memorythereof.

In step S3505, it is examined whether K(t)00 has been acquired in stepS3504. If not, it means that the recorder/player has been revoked fromthe group in the tree-structure at that time, and so the recorder/playerwill skip over steps S3506 to 3508 and exits the master key renewingprocedure.

If K(t)00 has been acquired, the recorder/player goes to step S3506where it will read a value derived from encryption of the master key atthe time t with Enc(K(t)00, K(t)master), namely, K(t)00, read from therecording medium. In step S3507, the recorder/player calculatesK(t)master by decrypting the encrypted value with K(t)00.

In step S3508, the recorder/player encrypts K(t)master with its own leafkey (K0000 for the device 0 in FIG. 32) and stores it into the memory.Here, the recorder/player will exit the master key renewing procedure.

It should be reminded here that the master key is used in the ascendingorder from the time (generation) 0 but each of devices in the systemshould desirably be able to acquire, by calculation, an older-generationmaster key from a new-generation master key. That is, therecorder/player should own a one-way function f and create a master keyin an examined generation by applying its own master key to the one-wayfunction f for a number of times corresponding to a difference betweenthe generation of the master key and that of a necessary master key.

More particularly, for example, in case the generation number of amaster key MK stored in the recorder/player is i+1 while the generationnumber of a masker key MK necessary for playback of a data (having beenused for recording the data) is i−1, the recorder/player creates amaster key K(i−1)master by using the one-way function f twice andcalculating f(f(K(i+1)master)).

Also, in case the generation number of the master key stored in therecorder/player is i+1 while that of the necessary master key is i−2,the recorder/player creates a master key K(i−2)master by using theone-way function f twice and calculating f(f(f(K(i+1)master))).

The one-way function may be a hash function for example. Moreparticularly, the hash function may be MD5 (message digest 5), SHA-1(secure hash algorithm-1) or the like for example. A key issuinginstitution should determine master keys K(0)master, K(1)master,K(2)master, . . . , K(n)master with which a generation older than thegeneration of the master key for the device in consideration can bepre-created using these one-way functions. That is, first of all, amaster key K(N)master of a generation No. N should be set and theone-way function be applied once to the master key K(N)master, therebycreating master keys K(N−1)master, K(N−2)master, . . . , K(1)master,K(0)master of the preceding generations one after another. The masterkeys should be used one after another starting with the master keyK(0)master of the earliest generation. Note that it is assumed that theone-way function used to create a master key of a generation older thanthe generation for the device in consideration is set in all therecorder/players.

Also, as the one-way function, there may be used the public keycryptography for example. In this case, the key issuing institute shouldown a private key which is based on the public key cryptography, andissue a public key corresponding to the private key to each of all theplayers. The key issuing institute should set a 0-th generation masterkey K(0)master and use master keys starting with K(0)master. That is,when the key issuing institute needs a master key K(i)master youngerthan the first-generation master key, it converts a master keyK(i−1)master one generation older than the master key K(i)master withthe private key to create the master key K(i)master for use. Thus, thekey issuing institute has not to pre-create the master key of thegeneration No. N using the one-way function. With this way of keycreation, it is theoretically possible to create a master key over allgenerations. Note that if the recorder/player has a master key of ageneration, it will be able to convert the master key with the publickey to acquire a master key of a generation older than that generation.

[5. Storage of Key Renewal Block (KRB) Into Recording Medium byRecorder/Player]

In the above example, a key renewal block (KRB) is prestored in arecording medium. However, the recorder/player can record a KRB receivedfrom any other device via the input/output I/F, IC card, modem or thelike to a recording medium when it initially records data to therecording medium or each time it records data to the recording medium.

That is, as shown in FIG. 36, the recorder/player may also be adapted toacquire a KRB and unencrypted data derived from encryption of a masterkey with a node key in advance via the input/output I/F, IC card, modemor the like, store them in its own memory, and process them as in theflow chart in FIG. 37 when recording content data to the recordingmedium.

Operations of the recorder/player in KRB recording to a recording mediumwill be described with reference to FIG. 37. In step S3701, therecorder/player checks whether a KRB is already recorded in a recordingmedium to which data is going to be recorded. If KRB is found alreadyrecorded in the recording medium, the recorder/player skips over stepS3702 and exits the KRB storing procedure (goes to content datarecording procedure). If no KRB is found recorded in the recordingmedium, the recorder/player goes to step S3702 where it will record KRBstored in its own memory and unencrypted data derived from encryption ofa master key to the recording medium. After completion of this KRBstoring procedure, the recorder/player will go to content data recordingprocedure).

FIG. 39 shows an example construction of the recording medium used inthis embodiment. A recording medium generation number is stored into therecording medium shown in FIG. 39. The recording medium is generallyindicated with a reference 3900. The recording medium 3900 has recordedtherein a generation number (Generation #n) as generation informationindicative of the smallest generation number of a master key MKnecessary for data recording and playback to and from the recordingmedium 3900. It should be reminded that the generation n umber(Generation #n) is prerecorded into a recording medium 3900 beingproduced for example, and similar to the aforementioned prerecordinggeneration information (prerecording Generation #n).

The smallest generation number of the master key MK necessary forrecording or playing back data to or from the recording medium 3900shown in FIG. 39 is n. The generation number n is given as a sequentialgeneration number. If the generation number of a master key stored inthe memory of the recording/player is smaller than the generation numbern, recording to, or playback from, the recording medium 3900 in FIG. 39will be rejected.

For recording or playing back data to or from the recording medium 3900having a generation number (prerecording generation number) recordedtherein, set in the recorder/player, the recorder/player makes acomparison between the generation number (prerecording generationnumber) and generation number of the master key stored in therecorder/player. If the generation number of the master key stored inthe memory of the recorder/player is smaller than the generation number(prerecording generation number) n of the recording medium, therecorder/player cannot record any data to, or play back any data from,the recording medium 3900 in FIG. 39.

As mentioned above, the smallest generation number of the master key MKnecessary for data recording or playback to or from the recording medium3900 in FIG. 39 is n. If the generation number of the master key storedin the memory of the recorder/player is as large as or larger than thesmallest generation number n, the recorder/player can record data to therecording medium 3900 in FIG. 39. However, if the generation number ofthe master key stored in the memory of the recorder/player is smallerthan the smallest generation number n, the recorder/player is notallowed to record data to the recording medium 3900. Even if therecording medium 3900 has data recorded therein with anyolder-generation master key by an inappropriate device, an appropriatedevice will not play back the data from the recording medium 3900. Also,since data legally recorded to the recording medium 3900 has beenencrypted with a master key having a generation number as large as orlarger than the smallest generation number n without fail, if thegeneration number of the master key stored in the memory of therecorder/player is smaller than the smallest generation number n, therecorder/player cannot decrypt (play back) data from the recordingmedium.

Note that the prerecording generation information Generation #n isrecorded in an area of the recording medium 3900 where it cannot berewritten (unrewritable area), for example, in the lead-in area, wherebythe key table and prerecording generation information Generation #n areprevented from illegally being rewritten.

The device is designed so that recording of data to the recording medium3900 shown in FIG. 39 cannot be done (allowed) without a master key MKof a generation younger than that indicated by the prerecordinggeneration information in the recording medium 3900. Therefore, as therecording medium 3900 having recorded therein a prerecording generationinformation Generation #n indicating a generation is distributed, therenewal of the master key in a recorder which records data to therecording medium 3900 or a recorder/player (in FIG. 6) which can recordor play back to or from the recording medium 3900 is promoted, wherebythe number of the recorders or recorder/players using a master key MKhaving a generation smaller than Generation #n decreases with the resultthat it is possible to prevent data from illegally being decrypted.

That is to say, a recorder having the master key thereof not renewed canrecord data to the recording medium (optical disc) 150 shown in FIG. 4and having no prerecording generation information recorded therein. Aninformation player having the master key thereof not renewed will beable to play the optical disc 150 having data thus recorded therein. Onthe other hand, recording of data to the recording medium 3900 havingthe prerecording generation information recorded therein and having beendescribed with reference to FIG. 39 is not allowed unless there isavailable a master key MK of a generation younger than the generationindicated by the prerecording generation information. Namely, sincerecording of data to the recording medium 3900 needs a master key of ageneration younger than the generation indicated by the prerecordinggeneration information recorded in the recording medium 3900, it ispossible to prevent a recorded having the master key thereof not renewedfrom recording data to the recording medium 3900.

Note that the master key renewing procedure may be such that a keyrenewal block (KRB) and unencrypted data derived from encryption of anencrypted master key with a node key are acquired via an input/outputI/F, IC card, modem or the like and a renewed master key can be acquiredby processing the KRB. Since only a device having node key and leaf keywith which KRB can be decrypted as in the above can process KRB, it isnot necessary to make any mutual authentication for distribution of KRBand only an appropriate device can acquire a renewed master key.

[6. Construction of the Data Processor]

Note that the aforementioned series of operations can be done by ahardware or by a software. Namely, the cryptography unit 650 for examplecan be formed from an encryption/decryption LSI and also thecryptography, namely, the encryption/decryption, by the cryptographyunit 650 can be done by having a general-purpose computer or a one-chipmicrocomputer execute a corresponding program. For effecting the seriesof operations by a software, a program including the software isinstalled in a general-purpose computer, one-chip microcomputer or thelike. FIG. 40 shows an example construction of one embodiment of acomputer in which the program for the series of operations is installed.

The program can be prerecorded in a hard disc 4005 and ROM 4003 asrecording media incorporated in the computer. Alternatively, the programmay be stored (recorded) provisionally or permanently in a removablerecording medium 4010 such as a floppy disc, CD-ROM (compact discread-only memory), MO (magneto-optical) disc, DVD (digital versatiledisc), magnetic disc, semiconductor memory or the like. Such a removablerecording medium 4010 can be provided as a so-called package software.

It should be reminded that the program can be installed from theaforementioned removable recording medium 4010 to a computer, otherwise,transferred from a download site to the computer by a radiocommunication network over a digital broadcasting satellite ortransferred to the computer over a cable via a network such as LAN(local area network), Internet or the like, the computer receives theprogram thus transferred by a communication unit 4008 thereof andinstall it into the built-in hard disc 4005.

The computer incorporates a CPU (central processing unit) 4002 as shown.The CPU 4002 is connected to an input/output interface 4011 via a bus4001. When the CPU 4002 is supplied with an instruction from an inputunit 4007 operated by the user, such as a keyboard, mouse or the likevia the input/output interface 4011, it executes the program stored in aROM (read-only memory) 4003.

Alternatively, the CPU 4002 loads, into a RAM (random-access memory)4004 for execution, a program stored in the hard disc 4005, a programtransferred from a satellite or network, received by the communicationunit 4008 and installed into the hard disc 4005 or a program read fromthe removable recording medium 4010 set in a drive 4009 and installedinto the hard disc 4005.

Thus, the CPU 4002 makes operations as in the aforementioned flow chartsor operations as in the aforementioned block diagrams. The CPU 4002outputs results of these operations from an output unit 4006 such as anLCD (liquid crystal display) or speaker, or transmits them from thecommunication unit 4008, or records them to the hard disc 4005, via theinput/output interface 4011, as necessary.

Note that the operations or processes to describe a program which allowsthe computer to do a variety of operations may not always be done in thetime sequence as in the flow charts but may include ones which areexecuted in parallel or individually (parallel processes or processes byobjects, for example).

The program may be a one which can be executed by a single computer orin a decentralized manner by a plurality of computers. Further, theprogram may be a one which can be transferred to a remote computer forexecution.

In the above, the present invention has been described concerning theexample that a cryptography block formed from one-chipencryption/decryption LSI encrypts and decrypts a content. Note howeverthat the content encryption/decryption block may also be a singlesoftware module which is to be executed by a CPU.

In the foregoing, the present invention has been described in detailconcerning specific embodiments thereof. However, it will be apparentthat the present invention can be modified or altered by those skilledin the art without departure from the scope and spirit thereof. That is,the embodiments of the present invention has been described by way ofexample and the present invention is not limited to these embodiments.The substance of the present invention is referred to the claims definedlater.

INDUSTRIAL APPLICABILITY

In the information recording/playback apparatus and method according tothe present invention, when the device has not the first key of anecessary generation for data recording or playback, a message forprompting to renew the key is displayed to the user, thereby permittingto accelerate the key renewal for the entire system and prevent datafrom illegally being copied.

In addition, in the information recording/playback apparatus and methodaccording to the present invention, when the device has not the firstkey of the necessary generation for data recording or playback, a key ofthe necessary generation is acquired from an external device, therebypermitting to accelerate the key renewal for the entire system andprevent data from illegally being copied.

Further in the information recording/playback apparatus and methodaccording to the present invention, the cryptography unit can be used tocreate a key of an older generation based on a key of a generationstored in the device, thereby permitting to prevent data from illegallybeing copied while maintaining the interoperability.

Further, the information recording medium according to the presentinvention has stored therein generation information indicating thegeneration of a key usable for data encryption or decryption, and aninformation recorder/player makes a comparison between the generation ofa key stored therein and the generation information stored in therecording medium to judge whether data recording or playback can be doneor not. Therefore, it is possible to prevent data from being copied witha key of an older generation, which is now invalid.

Further in the key renewing terminal and method according to the presentinvention, a renewed key can be acquired via a key renewing terminalprovided separately from a recorder/player. For example, a device whichhas to renew the master key because the master key of any other devicebelonging to the same category has been uncovered, can establish acommunication path to a key issuing institute via the key renewingterminal, and thus the terminals belonging to the same category can besupported in different manners, respectively.

Further in the information recording/playback apparatus and methodaccording to the present invention, since renewal data for a master keyis transmitted along with a key renewal block (KRB) by thetree-structural key distribution system, so a decryptable master key canbe transmitted or distributed only to a device in which the key have tobe renewed and thus the size of a message to be distributed can bereduced. Further, a key which is decryptable only by a specific group ofdevices defined by the tree structure and which cannot be decrypted byany other devices not belonging to the group, can be distributed so thatthe security of the key distribution or delivery can be assured.

1. An information recorder for recording information to a recordingmedium, the apparatus comprising: a cryptography means for encryptinginformation to be recorded to the recording medium by a cryptographywith a generation-managed encryption key which is renewed to a differentkey for each generation; and a user interface for making a comparisonbetween generation information on a device-stored generation-managedencryption key stored in a storage means of the information recorder andprerecording generation information which is recording-medium generationinformation prestored in the recording medium, and outputting a warningwhen the comparison result is that the prerecording generationinformation is newer than the generation information on thedevice-stored generation-managed encryption key.
 2. The apparatusaccording to claim 1, wherein the device-stored generation-managedencryption key is a master key stored in common to a plurality ofinformation recorders.
 3. The apparatus according to claim 1, whereinthe cryptography means includes means for renewing, when theprerecording generation information is newer than the generationinformation on the device-stored generation-managed encryption key, ageneration-managed encryption key of a generation as young as or youngerthan that indicated by the prerecording generation information.
 4. Theapparatus according to claim 1, wherein the cryptography means includesmeans for creating, based on the device-stored generation-managedencryption key, a generation-managed encryption key whose generationinformation is older than the generation information on thedevice-stored generation-managed encryption key.
 5. The apparatusaccording to claim 1, wherein: the cryptography means includes means forrenewing, when the prerecording generation information is newer than thegeneration information on the device-stored generation-managedencryption key, a generation-managed encryption key of a generation asyoung as or younger than that indicated by the prerecording generationinformation; and the key renewing means decrypts an encryptedto-be-renewed generation-managed encryption key with a device key storedin the information recorder to create an renewed generation-managedencryption key.
 6. The apparatus according to claim 5, wherein thecryptography means acquires a key table in which the encryptedto-be-renewed generation-managed encryption key and a decrypting devicekey identifier are correlated with each other to decrypt the encryptedto-be-renewed generation-managed encryption key with a device keyidentified based on the device key identifier in the key table.
 7. Theapparatus according to claim 5, wherein the device key is a key commonto information recorders grouped by categorization into a commoncategory.
 8. The apparatus according to claim 5, wherein the device keyis a key common to information recorders enclosed in the same group bygrouping based on serial numbers assigned to the information recorders.9. The apparatus according to claim 1, wherein: there are held a nodekey unique to each of nodes included in a hierarchical tree structureincluding a plurality of different information recorders each as a leafand a leaf key unique to each of the information recorders; and thegeneration-managed encryption key is a key which can be renewed with atleast either the node key or leaf key.
 10. The apparatus according toclaim 9, wherein the generation-managed encryption key is a master keycommon to the plurality of information recorders.
 11. The apparatusaccording to claim 9, wherein: the node key can be renewed; there isdistributed, when a node key is to be renewed, a key renewal block (KRB)derived from encryption of the renewed node key with at least either anode key or leaf key on a lower stage of the tree structure to aninformation recorder at a leaf where the node key has to be renewed; andthe cryptography means in the information recorder receives renewal datafor the generation-managed encryption key encrypted with the renewednode key, encrypts the key renewal block (KRB) to acquire the renewednode key, and acquires renewal data for the generation-managedencryption key based on the thus-acquired renewed node key.
 12. Theapparatus according to claim 9, wherein: the key renewal block (KRB) isstored in a recording medium; and the cryptography means encrypts thekey renewal block (KRB) read from the recording medium.
 13. Theapparatus according to claim 9, wherein: the generation-managedencryption key has a generation number as renewal information correlatedtherewith; and the cryptography means stores, as a recording generationnumber into the recording medium, a generation number of thegeneration-managed encryption key having been used for storing encrypteddata into the recording medium.
 14. An information recorder forrecording information to a recording medium, the apparatus comprising: acryptography means for encrypting information to be recorded to therecording medium by a cryptography with a generation-managed encryptionkey which is renewed to a different key for each generation; and a keyacquiring means for making a comparison between generation informationon a device-stored generation-managed encryption key stored in a storagemeans of the information recorder and prerecording generationinformation which is recording-medium generation information prestoredin the recording medium, and acquiring a generation-managed encryptionkey of a generation as young as or younger than that indicated by theprerecording generation information when the comparison result is thatthe prerecording generation information is newer than the generationinformation on the device-stored generation-managed encryption key. 15.The apparatus according to claim 14, wherein the key acquiring meansincludes a communication interface capable of receiving data via anetwork.
 16. The apparatus according to claim 14, wherein the keyacquiring means includes a communication modem capable of receiving datavia a telephone line.
 17. The apparatus according to claim 14, whereinthe key acquiring means includes an I/C card interface capable ofreceiving data via an IC card.
 18. The apparatus according to claim 14,wherein: the cryptography means makes a mutual authentication with a keyserving means when the key acquiring means is going to acquire thegeneration-managed encryption key; and the key acquiring means effectsthe acquisition of the generation-managed key only when the mutualauthentication with the key serving means has successfully been made.19. The apparatus according to claim 14, wherein the device-storedgeneration-managed encryption key is a master key common to a pluralityof information recorders.
 20. The apparatus according to claim 14,wherein the cryptography means includes means for renewing, when theprerecording generation information is newer than the generationinformation on the device-stored generation-managed encryption key, ageneration-managed encryption key of a generation as young as or youngerthan that indicated by the prerecording generation information.
 21. Theapparatus according to claim 14, wherein the cryptography means includesa key creating means for creating, based on the device-storedgeneration-managed encryption key, a generation-managed encryption keywhose generation information is older than the generation information onthe device-stored generation-managed encryption key.
 22. The apparatusaccording to claim 14, wherein: the cryptography means includes meansfor renewing, when the prerecording generation information is newer thanthe generation information on the device-stored generation-managedencryption key, a generation-managed encryption key of a generation asyoung as or younger than that indicated by the prerecording generationinformation; and the key renewing means decrypts an encryptedto-be-renewed generation-managed encryption key with a device key storedin the information recorder to create an renewed generation-managedencryption key.
 23. The apparatus according to claim 22, wherein thecryptography means acquires a key table in which the encryptedto-be-renewed generation-managed encryption key and a decrypting devicekey identifier are correlated with each other to decrypt the encryptedto-be-renewed generation-managed encryption key with a device keyidentified based on the device key identifier in the key table.
 24. Theapparatus according to claim 22, wherein the device key is a key commonto information recorders grouped by categorization into a commoncategory.
 25. The apparatus according to claim 22, wherein the devicekey is a key common to information recorders enclosed in the same groupby grouping based on serial numbers assigned to the informationrecorders.
 26. The apparatus according to claim 14, wherein: there areheld a node key unique to each of nodes included in a hierarchical treestructure including a plurality of different information recorders eachas a leaf and a leaf key unique to each of the information recorders;and the generation-managed encryption key is a key which can be renewedwith at least either the node key or leaf key.
 27. The apparatusaccording to claim 26, wherein the generation-managed encryption key isa master key common to the plurality of information recorders.
 28. Theapparatus according to claim 26, wherein: the node key can be renewed;there is distributed, when a node key is to be renewed, a key renewalblock (KRB) derived from encryption of the renewed node key with atleast either a node key or leaf key on a lower stage of the treestructure to an information recorder at a leaf where the node key has tobe renewed; and the cryptography means in the information recorderreceives renewal data for the generation-managed encryption keyencrypted with the renewed node key, encrypts the key renewal block(KRB) to acquire the renewed node key, and acquires renewal data for thegeneration-managed encryption key based on the thus-acquired renewednode key.
 29. The apparatus according to claim 26, wherein: the keyrenewal block (KRB) is stored in a recording medium; and thecryptography means encrypts the key renewal block (KRB) read from therecording medium.
 30. The apparatus according to claim 26, wherein: thegeneration-managed encryption key has a generation number as renewalinformation correlated therewith; and the cryptography means stores, asa recording generation number into the recording medium, a generationnumber of the generation-managed encryption key having been used forstoring encrypted data into the recording medium.
 31. An informationrecorder for recording information to a recording medium, the apparatuscomprising: a cryptography means for encrypting information to berecorded to the recording medium by a cryptography with ageneration-managed encryption key which is renewed to a different keyfor each generation; and a key renewing terminal connecting interfacefor connection of a key renewing terminal which makes a comparisonbetween generation information on a device-stored generation-managedencryption key stored in a storage means of the information recorder andprerecording generation information which is recording-medium generationinformation prestored in the recording medium, and acquires ageneration-managed encryption key of a generation as young as or youngerthan that indicated by the prerecording generation information when thecomparison result is that the prerecording generation information isnewer than the generation information on the device-storedgeneration-managed encryption key.
 32. The apparatus according to claim31, wherein: a mutual authentication with the key renewing terminal iseffected to acquire the generation-managed encryption key from the keyrenewing terminal; and the acquisition of the generation-managedencryption key is effected only when the mutual authentication with thekey renewing terminal has successfully been made.
 33. The apparatusaccording to claim 31, wherein: there are held a node key unique to eachof nodes included in a hierarchical tree structure including a pluralityof different information recorders each as a leaf and a leaf key uniqueto each of the information recorders; and the generation-managedencryption key is a key which can be renewed with at least either thenode key or leaf key.
 34. The apparatus according to claim 33, whereinthe generation-managed encryption key is a master key common to theplurality of information recorders.
 35. The apparatus according to claim33, wherein: the node key can be renewed; there is distributed, when anode key is to be renewed, a key renewal block (KRB) derived fromencryption of the renewed node key with at least either a node key orleaf key on a lower stage of the tree structure to an informationrecorder at a leaf where the node key has to be renewed; and thecryptography means in the information recorder receives renewal data forthe generation-managed encryption key encrypted with the renewed nodekey, encrypts the key renewal block (KRB) to acquire the renewed nodekey, and acquires renewal data for the generation-managed encryption keybased on the thus-acquired renewed node key.
 36. The apparatus accordingto claim 33, wherein: the key renewal block (KRB) is stored in arecording medium; and the cryptography means encrypts the key renewalblock (KRB) read from the recording medium.
 37. The apparatus accordingto claim 33, wherein: the generation-managed encryption key has ageneration number as renewal information correlated therewith; and thecryptography means stores, as a recording generation number into therecording medium, a generation number of the generation-managedencryption key having been used for storing encrypted data into therecording medium.
 38. An information player for playing back informationfrom a recording medium, the apparatus comprising: a cryptography meansfor decrypting information read from the recording medium by acryptography with a generation-managed encryption key which is renewedto a different key for each generation; and a user interface for makinga comparison between generation information on a device-storedgeneration-managed decryption key stored in a storage means of theinformation player and recording generation information which isgeneration information having been used for recording the information tothe recording medium, and outputting a warning when the comparisonresult is that the recording generation information is newer than thegeneration information on the device-stored generation-manageddecryption key.
 39. The apparatus according to claim 38, wherein thecryptography means does not make any information decryption when acomparison made between the recording generation information which isgeneration information having been used for recording the information tothe recording medium and prerecording generation information which isrecording medium generation information prestored in the recordingmedium shows that the prerecording generation information is newer thanthe recording generation information.
 40. The apparatus according toclaim 38, wherein the device-stored generation-managed decryption key isa master key stored in common to a plurality of information players. 41.The apparatus according to claim 38, wherein the cryptography meansincludes means for renewing, when the prerecording generationinformation is newer than the generation information on thedevice-stored generation-managed decryption key, a generation-manageddecryption key of a generation as young as or younger than thatindicated by the prerecording generation information.
 42. The apparatusaccording to claim 38, wherein the cryptography means includes a keycreating means for creating, based on the device-storedgeneration-managed decryption key, a generation-managed decryption keywhose generation information is older than the generation information onthe device-stored generation-managed decryption key.
 43. The apparatusaccording to claim 38, wherein the cryptography means includes means forrenewing, when the recording generation information is newer than thegeneration information on the device-stored generation-managedencryption key, a generation-managed encryption key of a generation asyoung as or younger than that indicated by the prerecording generationinformation; and the key renewing means decrypts an encryptedto-be-renewed generation-managed encryption key with a device key storedin the information player to create an renewed generation-managedencryption key.
 44. The apparatus according to claim 43, wherein thecryptography means acquires a key table in which the encryptedto-be-renewed generation-managed encryption key and a decrypting devicekey identifier are correlated with each other to decrypt the encryptedto-be-renewed generation-managed encryption key with a device keyidentified based on the device key identifier in the key table.
 45. Theapparatus according to claim 43, wherein the device key is a key commonto information players grouped by categorization into a common category.46. The apparatus according to claim 43, wherein the device key is a keycommon to information players enclosed in the same group by groupingbased on serial numbers assigned to the information players.
 47. Theapparatus according to claim 38, wherein: there are held a node keyunique to each of nodes included in a hierarchical tree structureincluding a plurality of different information players each as a leafand a leaf key unique to each of the information players; and thegeneration-managed encryption key is a key which can be renewed with atleast either the node key or leaf key.
 48. The apparatus according toclaim 47, wherein the generation-managed encryption key is a master keycommon to the plurality of information players.
 49. The apparatusaccording to claim 47, wherein: the node key can be renewed; there isdistributed, when a node key is to be renewed, a key renewal block (KRB)derived from encryption of the renewed node key with at least either anode key or leaf key on a lower stage of the tree structure to aninformation player at a leaf where the node key has to be renewed; andthe cryptography means in the information player receives renewal datafor the generation-managed decryption key encrypted with the renewednode key, encrypts the key renewal block (KRB) to acquire the renewednode key, and acquires renewal data for the generation-manageddecryption key based on the thus-acquired renewed node key.
 50. Theapparatus according to claim 47, wherein: the key renewal block (KRB) isstored in a recording medium; and the cryptography means encrypts thekey renewal block (KRB) read from the recording medium.
 51. Theapparatus according to claim 47, wherein: the generation-manageddecryption key has a generation number as renewal information correlatedtherewith; and for decryption of encrypted data read from the recordingmedium, the cryptography means reads, from the recording medium, ageneration number of the generation-managed encryption key having beenused for encrypting the data and decrypts the encrypted data with ageneration-managed decryption key corresponding to the thus-readgeneration number.
 52. An information player for playing backinformation from a recording medium, the apparatus comprising: acryptography means for decrypting information read from the recordingmedium by a cryptography with a generation-managed decryption key whichis renewed to a different key for each generation; and a key acquiringmeans for making a comparison between generation information on adevice-stored generation-managed decryption key stored in a storagemeans of the information player and recording generation informationwhich is generation information having been used for recording theinformation, and acquiring a generation-managed decryption key of ageneration as young as or younger than that indicated by the recordinggeneration information when the comparison result is that the recordinggeneration information is newer than the generation information on thedevice-stored generation-managed decryption key.
 53. The apparatusaccording to claim 52, wherein the cryptography means does not make anyinformation decryption when a comparison made between the recordinggeneration information which is generation information having been usedfor recording the information to the recording medium and prerecordinggeneration information which is recording medium generation informationprestored in the recording medium shows that the prerecording generationinformation is newer than the recording generation information.
 54. Theapparatus according to claim 52, wherein the key acquiring meansincludes a communication interface capable of receiving data via anetwork.
 55. The apparatus according to claim 52, wherein the keyacquiring means includes a communication modem capable of receiving datavia a telephone line.
 56. The apparatus according to claim 52, whereinthe key acquiring means includes an I/C card interface capable ofreceiving data via an IC card.
 57. The apparatus according to claim 52,wherein: the cryptography means makes a mutual authentication with a keyserving means when the key acquiring means is going to acquire thegeneration-managed decryption key; and the key acquiring means effectsthe acquisition of the generation-managed key only when the mutualauthentication with the key serving means has successfully been made.58. The apparatus according to claim 52, wherein the device-storedgeneration-managed decryption key is a master key common to a pluralityof information players.
 59. The apparatus according to claim 52, whereinthe cryptography means includes means for renewing, when the recordinggeneration information is newer than the generation information on thedevice-stored generation-managed decryption key, a generation-manageddecryption key of a generation as young as or younger than thatindicated by the recording generation information.
 60. The apparatusaccording to claim 52, wherein the cryptography means includes a keycreating means for creating, based on the device-storedgeneration-managed encryption key, a generation-managed decryption keywhose generation information is older than the generation information onthe device-stored generation-managed decryption key.
 61. The apparatusaccording to claim 52, wherein: the cryptography means includes meansfor renewing, when the recording generation information is newer thanthe generation information on the device-stored generation-manageddecryption key, a generation-managed encryption key of a generation asyoung as or younger than that indicated by the recording generationinformation; and the key renewing means decrypts an encryptedto-be-renewed generation-managed decryption key with a device key storedin the information player to create an renewed generation-managedencryption key.
 62. The apparatus according to claim 61, wherein thecryptography means acquires a key table in which the encryptedto-be-renewed generation-managed encryption key and a decrypting devicekey identifier are correlated with each other to decrypt the encryptedto-be-renewed generation-managed encryption key with a device keyidentified based on the device key identifier in the key table.
 63. Theapparatus according to claim 61, wherein the device key is a key commonto information players grouped by categorization into a common category.64. The apparatus according to claim 61, wherein the device key is a keycommon to information players enclosed in the same group by groupingbased on serial numbers assigned to the information players.
 65. Theapparatus according to claim 52, wherein: there are provided a node keyunique to each of nodes included in a hierarchical tree structureincluding a plurality of different information players each as a leafand a leaf key unique to each of the information players; and thegeneration-managed decryption key is a key which can be renewed with atleast either the node key or leaf key.
 66. The apparatus according toclaim 65, wherein the generation-managed decryption key is a master keycommon to the plurality of information players.
 67. The apparatusaccording to claim 65, wherein: the node key can be renewed; there isdistributed, when a node key is to be renewed, a key renewal block (KRB)derived from decryption of the renewed node key with at least either anode key or leaf key on a lower stage of the tree structure to aninformation player at a leaf where the node key has to be renewed; andthe cryptography means in the information player receives renewal datafor the generation-managed decryption key encrypted with the renewednode key, encrypts the key renewal block (KRB) to acquire the renewednode key, and acquires renewal data for the generation-manageddecryption key based on the thus-acquired renewed node key.
 68. Theapparatus according to claim 65, wherein: the key renewal block (KRB) isstored in a recording medium; and the cryptography means encrypts thekey renewal block (KRB) read from the recording medium.
 69. Theapparatus according to claim 65, wherein: the generation-manageddecryption key has a generation number as renewal information correlatedtherewith; and for decryption of encrypted data read from the recordingmedium, the cryptography means reads, from the recording medium, ageneration number of the generation-managed encryption key having beenused for encrypting the data and decrypts the encrypted data with ageneration-managed decryption key corresponding to the thus-readgeneration number.
 70. An information player for playing backinformation from a recording medium, the apparatus comprising: acryptography means for decrypting information read from the recordingmedium by a cryptography with a generation-managed decryption key whichis renewed to a different key for each generation; and a key renewingterminal connecting interface for connection of a key renewing terminalwhich makes a comparison between generation information on adevice-stored generation-managed encryption key stored in a storagemeans of the information player and recording generation informationwhich is generation information having been used for recording theinformation to the recording medium and acquires a generation-manageddecryption key of a generation as young as or younger than thatindicated by the generation information on the device-storedgeneration-managed decryption key when the comparison result is that therecording generation information is newer than the generationinformation on the device-stored generation-managed decryption key. 71.The apparatus according to claim 70, wherein: a mutual authenticationwith a key serving means is effected when the key acquiring means isgoing to acquire the generation-managed decryption key; and theacquisition of the generation-managed key is effected only when themutual authentication with the key serving means has successfully beenmade.
 72. The apparatus according to claim 70, wherein: there are held anode key unique to each of nodes included in a hierarchical treestructure including a plurality of different information players each asa leaf and a leaf key unique to each of the information players; and thegeneration-managed decryption key is a key which can be renewed with atleast either the node key or leaf key.
 73. The apparatus according toclaim 72, wherein the generation-managed decryption key is a master keycommon to the plurality of information players.
 74. The apparatusaccording to claim 72, wherein the node key can be renewed, there isdistributed, when a node key is to be renewed, a key renewal block (KRB)derived from decryption of the renewed node key with at least either anode key or leaf key on a lower stage of the tree structure to aninformation player at a leaf where the node key has to be renewed; andthe cryptography means receives renewal data for the generation-manageddecryption key encrypted with the renewed node key, encrypts the keyrenewal block (KRB) to acquire the renewed node key, and acquiresrenewal data for the generation-managed decryption key based on thethus-acquired renewed node key.
 75. The apparatus according to claim 72,wherein: the key renewal block (KRB) is stored in a recording medium;and the cryptography means encrypts the key renewal block (KRB) readfrom the recording medium.
 76. The apparatus according to claim 72,wherein: the generation-managed decryption key has a generation numberas renewal information correlated therewith; and for decryption ofencrypted data read from the recording medium, the cryptography meansreads, from the recording medium, a generation number of thegeneration-managed encryption key having been used for encrypting thedata and decrypts the encrypted data with a generation-manageddecryption key corresponding to the thus-read generation number.
 77. Aninformation recording method for recording information to a recordingmedium, the method comprising the steps of: encrypting information to berecorded to the recording medium by a cryptography with ageneration-managed encryption key which is renewed to a different keyfor each generation; making a comparison between generation informationon a device-stored generation-managed encryption key stored in a storagemeans of an information recorder and prerecording generation informationwhich is recording-medium generation information prestored in therecording medium; and outputting a warning when the comparison result isthat the prerecording generation information is newer than thegeneration information on the device-stored generation-managedencryption key.
 78. An information recording method for recordinginformation to a recording medium, the method comprising the steps of:encrypting information to be recorded to the recording medium by acryptography with a generation-managed encryption key which is renewedto a different key for each generation; and making a comparison betweengeneration information on a device-stored generation-managed encryptionkey stored in a storage means of the information recorder andprerecording generation information which is recording-medium generationinformation prestored in the recording medium; and acquiring ageneration-managed encryption key of a generation as young as or youngerthan that indicated by the prerecording generation information when thecomparison result is that the prerecording generation information isnewer than the generation information on the device-storedgeneration-managed encryption key.
 79. The method according to claim 78,wherein the key acquiring step further includes the steps of: renewingthe generation-managed encryption key with at least either a node keyunique to each of nodes included in a hierarchical tree structureincluding a plurality of different information recorders each as a leafor a leaf key unique to each of the information recorders; andencrypting data to be recorded into the recording medium with thegeneration-managed encryption key renewed in the renewing step.
 80. Themethod according to claim 79, wherein the generation-managed encryptionkey is a master key common to the plurality of information recorders.81. The method according to claim 79, wherein: the node key can berenewed; there is distributed, when a node key is to be renewed, a keyrenewal block. (KRB) derived from encryption of the renewed node keywith at least either a node key or leaf key on a lower stage of the treestructure to an information recorder at a leaf where the node key has tobe renewed; and the renewing step further including the steps of:acquiring a renewed node key by encryption of the key renewal block(KRB); and calculating renewal data for the generation-managedencryption key based on the thus-acquired renewed node key.
 82. Themethod according to claim 79, wherein: the generation-managed encryptionkey has a generation number as renewal information correlated therewith;and the encrypting step further includes the step of: storing, as arecording generation number into the recording medium, a generationnumber of the generation-managed encryption key having been used forstoring encrypted data into the recording medium.
 83. An informationplayback method for playing back information from a recording medium,the method including the steps of: decrypting information read from therecording medium by a cryptography with a generation-managed encryptionkey which is renewed to a different key for each generation; making acomparison between generation information on a device-storedgeneration-managed decryption key stored in a storage means of theinformation player and recording generation information which isgeneration information having been used for recording the information tothe recording medium; and outputting a warning when the comparisonresult is that the recording generation information is newer than thegeneration information on the device-stored generation-manageddecryption key.
 84. An information playback method for playing backinformation from a recording medium, the method including: decryptinginformation read from the recording medium by a cryptography with ageneration-managed decryption key which is renewed to a different keyfor each generation; making a comparison between generation informationon a device-stored generation-managed decryption key stored in a storagemeans of an information recorder/player and recording generationinformation which is generation information having been used forrecording the information; and acquiring a generation-managed decryptionkey of a generation as young as or younger than that indicated by therecording generation information when the comparison result is that therecording generation information is newer than the generationinformation on the device-stored generation-managed decryption key. 85.The method according to claim 84, wherein the key acquiring step furtherincludes the steps of: renewing the generation-managed decryption keywith at least either a node key unique to each of nodes included in ahierarchical tree structure including a plurality of differentinformation players each as a leaf or a leaf key unique to each of theinformation players; and decrypting data to be recorded into therecording medium with the generation-managed decryption key renewed inthe renewing step.
 86. The method according to claim 85, wherein thegeneration-managed decryption key is a master key common to theplurality of information players.
 87. The method according to claim 85,wherein: the node key can be renewed; there is distributed, when a nodekey is to be renewed, a key renewal block (KRB) derived from encryptionof the renewed node key with at least either a node key or leaf key on alower stage of the tree structure to an information player at a leafwhere the node key has to be renewed; and the renewing step furtherincluding the steps of: acquiring a renewed node key by encryption ofthe key renewal block (KRB); and calculating renewal data for thegeneration-managed decryption key based on the thus-acquired renewednode key.
 88. The method according to claim 85, wherein: thegeneration-managed decryption key has a generation number as renewalinformation correlated therewith; and the decrypting step furtherincludes the step of: reading a generation number of thegeneration-managed encryption key having been used for encrypting thedata from the recording medium; and decrypting the encrypted data readfrom the recording medium with a generation-managed decryption keycorresponding to the thus-read generation number.
 89. An informationrecording medium to which information can be recorded, the medium havingstored therein: prerecording generation information as generationinformation on a key allowed as an encryption key usable for writingencrypted data to the information recording medium or a decryption keyusable for decrypting data read from the information recording medium.90. The information recording medium according to claim 89, wherein theprerecording generation information is recorded in an unrewritable areaof the information recording medium.
 91. A key renewing terminal forserving a renewed generation-managed key to an information recorder orplayer having a cryptography means for encrypting information to berecorded to a recording medium or an information recorder or playerhaving a cryptography means for decrypting information read from arecording medium, each by a cryptography with a generation-managed keywhich can be renewed to a different key for each generation, theapparatus comprising: an interface connectable to the informationrecorder or player; means for communications with outside; and means forcontrolling each of acquisition of a device-unique identifier from theinformation recorder or player via the interface, transmission of thedevice-unique identifier via the communications means, and transfer ofthe renewed generation-managed key to the information recorder or playervia the interface.
 92. A key renewing terminal for serving a renewedgeneration-managed key to an information recorder or player having acryptography means for encrypting information to be recorded to arecording medium or an information recorder or player having acryptography means for decrypting information read from a recordingmedium, each by a cryptography with a generation-managed key which canbe renewed to a different key for each generation, the apparatuscomprising: an interface connectable to the information recorder orplayer; a storage means having stored therein a key table in which ageneration-managed key encrypted with a device-unique encryption key iscorrelated with an identifier unique to the information recorder orplayer; and means for controlling each of acquisition of thedevice-unique identifier from the information recorder or player via theinterface, acquisition, based on the device-unique identifier, of anencrypted generation-managed key corresponding to the device-uniqueidentifier from the storage means, and transfer of the renewedgeneration-managed key to the information recorder or player via theinterface.
 93. The medium according to claim 92, wherein: a mutualauthentication is effected with the information recorder or player; andthe generation-managed key is served to the information recorder orplayer only when the mutual authentication-has successfully be made. 94.A generation-managed key renewing method for serving a renewedgeneration-managed key to an information recorder or player having acryptography means for encrypting information to be recorded to arecording medium or an information recorder or player having acryptography means for decrypting information read from a recordingmedium, each by a cryptography with a generation-managed key which canbe renewed to a different key for each generation, the method comprisingthe steps of: connecting a key renewing terminal including an interfaceconnectable to the information recorder or player and means forcommunications with outside to the information recorder or player;acquiring a device-unique identifier from the information recorder orplayer via the interface; transmitting the device-unique identifier viathe communications means; receiving the renewed generation-managed keyvia the communications means; and transferring the renewedgeneration-managed key to the information recorder or player via theinterface.
 95. A generation-managed key renewing method for serving arenewed generation-managed key to an information recorder or playerhaving a cryptography means for encrypting information to be recorded toa recording medium or an information recorder or player having acryptography means for decrypting information read from a recordingmedium, each by a cryptography with a generation-managed key which canbe renewed to a different key for each generation, the method comprisingthe steps of: connecting a key renewing terminal including an interfaceconnectable to the information recorder or player and a storage meanshaving stored therein a key table in which a generation-managed keyencrypted with an encryption key unique to a device-unique key iscorrelated with a device-unique identifier of the information recorderor player to the information recorder or player; acquiring thedevice-unique identifier from the information recorder or player via theinterface; acquiring, based on the device-unique identifier, anencrypted generation-managed key corresponding to the device-unique keyfrom the storage means; and transferring a renewed generation-managedkey to the information recorder or player via the interface.
 96. Themethod according to claim 95, wherein: a mutual authentication iseffected with the information recorder or player; and the renewedgeneration-managed key is served to the information recorder or playeronly when the mutual authentication has successfully be made.
 97. Aprogram serving medium for serving a computer program under whichinformation is recorded to a recording medium in a computer system, thecomputer program comprising the steps of: making a comparison betweengeneration information on a device-stored generation-managed encryptionkey stored in a storage means of an information recorder andprerecording generation information which is recording-medium generationinformation prestored in the recording medium; encrypting information tobe stored into the recording medium by a cryptography with ageneration-managed encryption key which can be renewed to a differentkey for each generation; and effecting at least either outputting of awarning or acquisition of a generation-managed encryption key of ageneration as young as or younger than that indicated by the generationinformation on the device-stored generation-managed encryption key whenthe comparison result is that the prerecording generation information isnewer than the generation information on the device-storedgeneration-managed encryption key.
 98. The medium according to claim 97,wherein the computer program further including the step of renewing thegeneration-managed encryption key by encryption of encrypted data readfrom the recording medium with at least either a node key unique to eachof nodes included in a hierarchical tree structure including a pluralityof different information recorders each as a leaf or a leaf key uniqueto each of the information recorders.
 99. A program serving medium forserving a computer program under which information is recorded to arecording medium in a computer system, the computer program comprisingthe steps of: making a comparison between generation information on adevice-stored generation-managed encryption key stored in a storagemeans of an information player and recording generation informationwhich is generation information having been used for recording theinformation to the recording medium; decrypting information read fromthe recording medium by a cryptography with a generation-manageddecryption key which can be renewed to a different key for eachgeneration; and effecting at least either outputting of a warning oracquisition of a generation-managed encryption key of a generation asyoung as or younger than that indicated by the generation information onthe device-stored generation-managed decryption key when the comparisonresult is that the recording generation information is newer than thegeneration information on the device-stored generation-manageddecryption key.
 100. The medium according to claim 99, wherein thecomputer program further including the step of renewing thegeneration-managed decryption key by decryption of encrypted data readfrom the recording medium with at least either a node key unique to eachof nodes included in a hierarchical tree structure including a pluralityof different information players each as a leaf or a leaf key unique toeach of the information players.